PowerShell Creating Hidden File

Rule Info

Name
PowerShell Creating Hidden File
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects PowerShell commands that create hidden files in the Windows file system, which may indicate malicious activity or an attempt to hide persistence mechanisms. Threat actors may use PowerShell to create hidden files often containing malicious scripts or payloads, leveraging the 'Hidden' attribute.
Reference
https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
Date
2025-08-13 00:00:00
Modified
None
Id
d4d77118-43c4-4e52-865d-81f9d7e79fc3
Tags
attack.defense-evasion attack.persistence attack.t1564.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022