AN1385: Analytic 1385
Hidden file creation using leading '.' or file attribute changes with chattr (immutable/hidden flags). Defender view: detect execution of chattr, lsattr anomalies, and unusual hidden files appearing in system directories.
Analyst context for executives and security teams
This analytic matters because hidden or attribute-protected files on Linux can reduce visibility during an incident and complicate recovery. For leaders, the practical question is whether critical Linux systems have enough file, process, and command telemetry to notice suspicious hidden files in system directories or use of utilities such as chattr and lsattr before they become an investigation blind spot.
Executive priority
Prioritize this as a Linux visibility and incident-readiness control check, especially for servers supporting business-critical services. It helps validate whether SOC and IR teams can produce evidence around unusual file hiding behavior, support audit/compliance questions about monitoring coverage, and reduce recovery delays caused by files that are difficult to see or modify. Because ATT&CK provides no tactic mapping or relationship context here, treat this as a defensive analytic validation item rather than a standalone risk conclusion.
Technical view
Validate monitoring for Linux process execution involving chattr and lsattr, file creation events for leading-dot filenames, and unexpected hidden files appearing in system directories. Detection engineering should focus on distinguishing normal administrative or package-management activity from unusual attribute changes or hidden-file creation in sensitive paths. IR playbooks should include checks for file attributes and hidden entries when reviewing Linux persistence, tampering, or suspicious filesystem changes, while noting that the official detection field is not populated beyond the analytic description.
Likely telemetry
- Linux process execution logs for chattr and lsattr
- File creation or file modification telemetry showing leading-dot filenames
- Filesystem attribute-change evidence where available
- Directory inventory or file integrity monitoring for system directories
- Administrative activity logs that can explain legitimate use of file attribute utilities
Detection direction
- Confirm the organization actually collects Linux process and filesystem telemetry on systems where this analytic is expected to operate.
- Tune alerts for chattr execution and lsattr anomalies with context such as user, parent process, target path, and whether the path is a system directory.
- Look for newly appearing leading-dot files in system directories, while accounting for legitimate hidden configuration files and software behavior.
- Correlate file attribute changes with recent administrative maintenance to reduce false positives.
- Document blind spots where endpoint agents, audit policies, or file integrity tooling do not capture attribute changes or hidden-file creation.
Mitigation priorities
- Establish baseline expectations for hidden files and file attributes on critical Linux system directories.
- Limit administrative privileges needed to change sensitive file attributes according to existing access-control policy.
- Use file integrity monitoring or equivalent change tracking on important Linux paths where operationally feasible.
- Ensure incident response procedures include hidden-file and attribute review during Linux host triage.
- Retain sufficient process and filesystem telemetry to support investigation and compliance evidence.
Analyst notes and limits
This is a detection analytic object, not a technique object. The supplied ATT&CK fields identify Linux as the platform and describe hidden file creation using leading-dot names or file attribute changes with chattr, plus defender checks for chattr, lsattr anomalies, and unusual hidden files in system directories. No tactics, relationships, aliases, or detailed official detection logic were supplied.
The source does not provide an official detection query, tactic mapping, related techniques, adversary relationships, or evidence of active exploitation. Local baselines are required because hidden files and attribute utilities can be legitimate in Linux administration.
Analytic 1385
Hidden file creation using leading '.' or file attribute changes with chattr (immutable/hidden flags). Defender view: detect execution of chattr, lsattr anomalies, and unusual hidden files appearing in system directories.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ad5610c7ba7f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1385Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.