This note documents detection patterns related to Hidden Files and Directories on Linux systems.

Direct Indicators

Source	Grep Pattern / Artifact	Meaning	Forensic Value	Notes
File system	Dot-prefixed file	Hidden file created	Critical	Basic Linux concealment technique.
File system	Dot-prefixed directory	Hidden payload directory	Critical	Common stealth staging location.
`/tmp`, `/var/tmp`, `/dev/shm`	Hidden executable	Concealed payload	Critical	High-confidence malicious signal.
Home directories	Hidden script in user path	User-level persistence	Critical	Often blended into normal hidden files.
`/etc`	Hidden config-like file	Stealth persistence or config	High	Unusual under system paths.
File mode	executable hidden file	Executable concealed	Critical	Strong malicious indicator.
File timestamps	recent hidden file creation	Timeline anchor	Critical	Correlates with intrusion window.
Shell history	execution of hidden file	Direct operator evidence	Critical	Strongest linkage when present.
Shell history	hidden dir creation (`mkdir .x`)	Concealment action	High	Common operator step.
`auditd`	write to hidden path	Process attribution	Critical	Best attribution if enabled.
`journalctl`	execution from hidden path	Runtime clue	High	Depends on host logging.
Hidden symlink	Concealed redirection	High	May point to payload elsewhere.
Hidden archive	compressed concealed payload	High	Staged toolkit storage.
Hidden key material	concealed credentials	Critical	Persistence / access clue.

Indirect Indicators

Indicator	What To Look For	Forensic Value	Notes
Hidden file after SSH foothold	Manual concealment	Critical	Common attacker progression.
Hidden file plus cron/service	Persistence linkage	Critical	Operationalized concealment.
Hidden file in temp path	Staged stealth payload	Critical	Strong malicious context.
Hidden directory with few files	Dedicated stash	High	Operator storage pattern.
Hidden binary with root owner	Privileged payload	Critical	High severity.
Hidden script references external IP	Callback logic	Critical	Strong malicious indicator.
Hidden file mimics cache	Camouflage	High	Common names: `.cache`, `.dbus`, `.sys`.
Hidden file under dormant account	Silent persistence	Critical	Often missed.
Hidden file recently touched repeatedly	Active usage	High	Operational clue.
Hidden file plus deleted visible payload	Cleanup with concealment	High	Strong operator discipline.

Common Tools

Tool	Usage
`mv payload .name`	Simple concealment.
`mkdir .dir`	Hidden stash directory.
`cp`	Duplicate payload into hidden location.
`chmod +x`	Prepare hidden executable.
`ln -s`	Hidden symbolic link.

Relevant Artifacts

Artifact	Path / Command	Forensic Value	Notes
Hidden files	`find / -name ".*"`	Critical	Primary hidden artifact discovery.
Hidden temp files	`/tmp`, `/var/tmp`, `/dev/shm`	Critical	High-value stealth zones.
Home hidden dirs	`/home//.`	Critical	User persistence surface.
File metadata	`stat`	Critical	Timeline truth.
File type	`file`	Critical	Payload classification.
Strings	`strings`	High	Infra clues.
Shell history	`.bash_history`, `.zsh_history`	Critical	Creation/use evidence.
Audit logs	`/var/log/audit/audit.log`	Critical	Attribution.

MITRE ATT&CK References

T1564 Hide Artifacts
T1564.001 Hidden Files and Directories
T1036 Masquerading

Decision Tree

Are hidden files present?
- Enumerate recent hidden files and dirs.
Which hidden paths are unusual?
- Focus temp paths, root, dormant accounts.
Is hidden file executable?
- Check mode and type.
Was hidden file executed?
- Shell history, auditd, process traces.
Is persistence linked?
- Cron, services, startup references.
Pivot
- File → strings/hash.
- Owner → privilege context.
- Timestamp → intrusion timeline.
Confirm concealment
- Recent hidden executable + suspicious context = likely malicious concealment.

Example Detection Templates

Grep

find /tmp /var/tmp /dev/shm /home /root -name ".*" 2>/dev/null

find /tmp /var/tmp /dev/shm /home /root -name ".*" -perm /111 2>/dev/null

grep -R "/\." /home/*/.bash_history /root/.bash_history 2>/dev/null

Journalctl

journalctl | grep "/."

File Inspection

find /tmp /var/tmp /dev/shm /home /root -name ".*" -printf '%TY-%Tm-%Td %TT %p\n' 2>/dev/null | sort

file /tmp/.* /var/tmp/.* /dev/shm/.* 2>/dev/null

Sigma

title: Linux Hidden Files and Directories
id: linux-hidden-files-directories
status: experimental
description: Detects suspicious hidden files or directories that may conceal payloads or persistence
logsource:
  product: linux
detection:
  selection_keywords:
    message|contains:
      - '/.'
  condition: selection_keywords
fields:
  - message
  - hostname
falsepositives:
  - Legitimate hidden user files
level: medium
tags:
  - attack.defense_evasion
  - attack.t1564.001

Mitigation & Hardening

Control Area	Mitigation	Effectiveness	Notes
File baseline	Inventory hidden paths	Critical	Unknown hidden files should stand out.
File monitoring	Watch hidden executable creation	Critical	Strong invariant detection.
Auditd	Track writes to hidden paths	High	Strong attribution.
Temp review	Regular hidden temp inspection	High	High-value detection zone.
Least privilege	Restrict stealth staging by service users	High	Limits concealment surface.

Fast Triage Checks

Question	Command / Artifact	Why It Matters
Any hidden executables?	find hidden executable files	Immediate stealth check.
Which hidden file is newest?	sort timestamps	Timeline anchor.
Is hidden file active?	process / auditd	Runtime proof.
Does hidden file call out?	strings / sockets	C2 clue.
Is persistence linked?	inspect cron/services/startup	Operationalization.
Is file owned by root?	stat	Severity clue.

High Value Grep Strings

Pattern	Why It Matters
`/.`	Hidden path reference.
`.cache`	Common camouflage.
`.sys`	Common camouflage.
`.dbus`	Common camouflage.
`chmod +x`	Hidden executable prep.
`mkdir .`	Hidden stash creation.

Analyst Notes

Scenario	Interpretation
Hidden ELF in `/dev/shm`	High stealth payload.
Hidden dir under dormant user	Silent stash likely.
Hidden file plus cron	Persistence operationalized.
Hidden symlink	Concealed redirection path.
Hidden file with recent repeated access	Active operator usage.
Hidden payload after visible cleanup	Strong concealment discipline.