diff --git a/docs/matrices.rst b/docs/matrices.rst
index 0ab3409..af9547b 100644
--- a/docs/matrices.rst
+++ b/docs/matrices.rst
@@ -6,4 +6,6 @@
    :hidden:
 
    matrices/windows
+   matrices/macos
+   matrices/linux
 
diff --git a/eqllib/analytics/defense-evasion/T1158-hidden-file-creation-nix.toml b/eqllib/analytics/defense-evasion/T1158-hidden-file-creation-nix.toml
new file mode 100644
index 0000000..c7abd14
--- /dev/null
+++ b/eqllib/analytics/defense-evasion/T1158-hidden-file-creation-nix.toml
@@ -0,0 +1,19 @@
+[analytic.metadata]
+categories = ["hunt"]
+confidence = "low"
+contributors = ["Tony Lambert"]
+created_date = "01/11/2019"
+description = "Identifies creation of hidden files on Linux and macOS."
+id = "8660f466-1568-11e9-b885-d46d6d62a49e"
+name = "Linux and macOS Hidden File Creation"
+os = ["linux", 'macos']
+references = ['https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1158/T1158.md']
+tactics = ["Persistence", "Defense Evasion"]
+tags = ["atomicblue"]
+techniques = ["T1158"]
+updated_date = "01/11/2019"
+
+[analytic]
+query = '''
+file where subtype.create and file_name == ".*"
+'''
\ No newline at end of file