DET0032: Detection Strategy for Hidden Files and Directories
DET0032 is a detection strategy object for identifying use of hidden files and directories, a stealth behavior associated with ATT&CK technique T1564.001....
Analyst context for executives and security teams
DET0032 is a detection strategy object for identifying use of hidden files and directories, a stealth behavior associated with ATT&CK technique T1564.001. The business value is not that hidden files are always malicious, but that adversaries can use normal operating system hiding features to reduce visibility into tools, payloads, staging folders, or persistence-related artifacts. Leaders should treat this as a coverage-validation item: can the organization reliably see hidden filesystem changes across Linux, macOS, and Windows where those platforms are in scope?
Executive priority
Prioritize this where endpoint visibility, incident response readiness, and audit evidence depend on knowing what changed on workstations or servers. Hidden files and directories can create investigation blind spots if SOC tooling only surfaces standard user-visible file activity. The key executive question is whether endpoint, logging, and response processes can expose stealthy filesystem artifacts quickly enough to support containment and evidence preservation.
Technical view
The supplied object has no official detection text, but it detects T1564.001 Hidden Files and Directories, which is mapped to the stealth tactic and applies to Linux, macOS, and Windows. SOC and detection engineering teams should validate that endpoint telemetry captures file and directory attribute changes, creation of hidden paths, and discovery of hidden artifacts during triage. Detection logic should be environment-aware because hidden files are common for legitimate OS, application, and user configuration purposes.
Likely telemetry
- Endpoint file creation, modification, rename, and deletion events
- File and directory attribute or metadata changes indicating hidden status
- Command-line/process execution telemetry associated with filesystem changes
- EDR or host audit records for Linux, macOS, and Windows endpoints where in scope
- Incident response collection output that includes hidden files and directories, not only default directory listings
Detection direction
- Confirm collection covers hidden file and directory creation or attribute changes, not just visible filesystem activity.
- Tune detections around unusual hidden artifacts in sensitive locations, newly created hidden directories, or hidden files associated with suspicious process activity.
- Account for high false-positive potential from normal OS and application behavior, especially configuration files and system-managed directories.
- Validate response tooling and analyst procedures explicitly reveal hidden files during host triage.
- Use the relationship to T1564.001 as context: detections should support investigation of stealth behavior rather than treat every hidden file as malicious.
Mitigation priorities
- Ensure endpoint visibility and audit configuration can record relevant filesystem metadata across supported operating systems.
- Standardize incident response playbooks to enumerate hidden files and directories during endpoint collection.
- Baseline expected hidden files and directories for critical systems to improve triage quality.
- Restrict unnecessary local administrative capability where feasible, since privileged users or processes may be able to hide artifacts more effectively.
- Review detection and compliance evidence requirements to confirm hidden filesystem artifacts are not omitted from routine monitoring or forensic preservation.
Analyst notes and limits
This Glexia take is based on the detection strategy object DET0032 and its relationship to ATT&CK technique T1564.001. The ATT&CK object itself does not provide an official description, detection guidance, tactics, or platforms; platform and tactic context comes from the related technique. Treat this as a validation prompt for telemetry coverage and response procedure quality, not as a standalone analytic specification.
No official detection logic, data sources, mitigations, or platform list are supplied directly on DET0032. Local operating system mix, endpoint tooling, retention, and business-approved hidden-file use must determine final detection design and severity.
Detection Strategy for Hidden Files and Directories
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | This object detects Hidden Files and Directories. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8ea4f9260352… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0032Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.