Skip to content

Hide Navigation Hide TOC

Hidden Flag Set On File/Directory Via Chflags - MacOS (3b2c1059-ae5f-40b6-b5d4-6106d3ac20fe)

Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.

Cluster A Galaxy A Cluster B Galaxy B Level
Hidden Flag Set On File/Directory Via Chflags - MacOS (3b2c1059-ae5f-40b6-b5d4-6106d3ac20fe) Sigma-Rules Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Hidden Flag Set On File/Directory Via Chflags - MacOS (3b2c1059-ae5f-40b6-b5d4-6106d3ac20fe) Sigma-Rules System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 1
Hidden Flag Set On File/Directory Via Chflags - MacOS (3b2c1059-ae5f-40b6-b5d4-6106d3ac20fe) Sigma-Rules NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5) Attack Pattern 1
Hidden Flag Set On File/Directory Via Chflags - MacOS (3b2c1059-ae5f-40b6-b5d4-6106d3ac20fe) Sigma-Rules Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 1
NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 2