MITRE ATT&CK — Hidden Files & Directories (T1564.001)

What it does

This skill provides a structured, defense-focused analysis of the MITRE ATT&CK sub-technique T1564.001 (Hidden Files and Directories). It helps map observed behaviors to ATT&CK, produce detection ideas, prioritise telemetry collection, and generate repeatable artifacts such as detection briefs, hunt plans, and incident-response notes. The skill bundles machine-readable metadata and templates to make outputs consistent and actionable.

When to use it

Use this skill during triage, detection engineering, threat hunting, ATT&CK coverage assessments, or when planning safe adversary-emulation exercises. It's appropriate when log evidence or analyst questions reference hidden files, suspicious dotfiles, UF_HIDDEN flags on macOS, or patterns suggesting directory/file hiding for stealth.

What's included

• Scripts: scripts/render_brief.py to render a markdown brief from technique metadata (has_scripts=true).
• References: detection-and-mitigation.md, technique-profile.json, known-threat-context.md (has_references=true).
• Instructions: stepwise agent workflow for scope clarification, mapping to ATT&CK, producing detection logic, and safe emulation boundaries. Templates for briefs, hunt-plans, and incident-response notes are bundled.

Compatible agents

Best used by agents with code execution and file access (Claude Code, Copilot-style assistants, or other agents that can read bundled JSON/templates) so they can render templates and run the included helper scripts.