AN1384: Analytic 1384
Abuse of file/registry attributes to hide malicious files, directories, or services. Defender view: detection of attrib.exe setting hidden/system flags, creation of Alternate Data Streams, or registry keys altering file visibility.
Analyst context for executives and security teams
AN1384 matters because hidden files, Alternate Data Streams, and registry-based visibility changes can let malicious content or services persist on Windows while appearing absent during routine review. For leaders, the decision value is whether endpoint logging and SOC procedures can prove that suspicious file-hiding behavior is visible before an incident response team has to find it manually.
Executive priority
Prioritize this as a Windows endpoint visibility and incident-readiness control question. Executives and security leaders should ask whether the organization can detect and investigate abuse of file and registry attributes, whether that evidence is retained for response and audit needs, and whether SOC workflows distinguish legitimate administrative use from suspicious concealment behavior.
Technical view
For SOC, detection engineering, and IR teams, validate coverage for Windows activity involving attrib.exe setting hidden or system flags, creation or use of Alternate Data Streams, and registry keys that alter file visibility. Because the ATT&CK object provides no tactic, relationships, or formal detection logic, teams should treat this as a behavioral analytic seed rather than a complete rule. Tune against known administrative, software deployment, and system-management activity before escalating as malicious.
Likely telemetry
- Windows process creation events showing attrib.exe execution and command-line arguments
- File system events indicating hidden or system attribute changes
- File creation or modification events involving Alternate Data Streams
- Windows registry modification events for keys or values that affect file visibility
- Endpoint detection and response telemetry correlating process, file, and registry activity on Windows hosts
Detection direction
- Confirm that command-line logging or equivalent endpoint telemetry captures attrib.exe usage with enough detail to identify hidden/system flag changes.
- Validate whether file monitoring can surface Alternate Data Stream creation or modification, not only standard file writes.
- Review registry telemetry for visibility-related key changes and correlate them with the responsible process and user context.
- Tune detections for expected administrative or software behavior to reduce false positives while preserving visibility into unusual user, path, or process combinations.
- Because no ATT&CK relationships or official detection logic were supplied, avoid assuming coverage against a specific technique chain; test locally against benign simulations and recent endpoint telemetry.
Mitigation priorities
- Ensure Windows endpoint logging and retention are sufficient for process, file, Alternate Data Stream, and registry investigations.
- Restrict unnecessary administrative privileges that allow users or processes to modify sensitive file attributes or registry visibility settings.
- Use endpoint hardening and monitoring controls to alert on suspicious concealment behavior in user-writable, startup, service, or application directories where locally relevant.
- Document investigation procedures so responders know how to enumerate hidden files, Alternate Data Streams, and visibility-related registry changes during triage.
- Include this behavior in detection validation and compliance evidence reviews where Windows endpoint monitoring is in scope.
Analyst notes and limits
This take is based on ATT&CK analytic AN1384 for Windows. The official description frames the behavior as abuse of file or registry attributes to hide malicious files, directories, or services, with a defender view covering attrib.exe, Alternate Data Streams, and registry keys altering file visibility. No relationships, tactics, aliases, or official detection content were supplied.
The source object is sparse: it has no tactic mapping, no related techniques, no formal detection query, and no mitigation text. Local environment baselines are required to determine what is suspicious, what is normal administration, and what telemetry is actually collected.
Analytic 1384
Abuse of file/registry attributes to hide malicious files, directories, or services. Defender view: detection of attrib.exe setting hidden/system flags, creation of Alternate Data Streams, or registry keys altering file visibility.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2de7c13ff965… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1384Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.