Systems and methods for detecting a suspicious process in an operating system environment using a file honeypots

What is claimed is: 1. A method for detecting a suspicious process in an operating system environment, the method comprising: generating, by a hardware processor, a file honeypot in a directory in a file system; receiving a directory enumeration request from a process executing in the operating system environment; determining whether the process is identified in a list of trusted processes; in response to determining that the process is not in the list of trusted processes, providing, to the process by the file system, a file list including the file honeypot responsive to the directory enumeration request; intercepting, by a file system filter driver, a file modification request for the file honeypot from the process; and identifying the process as a suspicious object responsive to intercepting the file modification request from the process. 2. The method of claim 1 , further comprising: in response to determining that the process is in the list of trusted processes, providing, to the process by the file system, a file list excluding the file honeypot responsive to the directory enumeration request. 3. The method of claim 1 , wherein determining whether the process is identified in the list of trusted processes is based on one or more of a certificate, fingerprint, name, and process identifier. 4. The method of claim 1 , wherein generating the file honeypot further comprises at least one of: creating a special file corresponding to the file honeypot in the directory; and updating the file list to add a filename of the special file at a first position of the file list. 5. The method of claim 1 , wherein generating the file honeypot further comprises: adding a filename of a nonexistent file to the file list associated with the directory. 6. The method of claim 1 , further comprising: assigning to the generated file honeypot a filename having at least one steganographic element. 7. The method of claim 1 , further comprising: modifying a file attribute of the generated file honeypot to indicate a hidden file. 8. The method of claim 1 , wherein generating the file honeypot further comprises: generating the file honeypot according to a template that specifies a document type and one or more file naming rules comprising at least one steganographic element. 9. The method of claim 1 , further comprising: responsive to receiving the directory enumeration request, performing a machine learning analysis on a stack trace of the directory enumeration request using machine learning; and adding a file honeypot to the provided file list responsive to the directory enumeration request based on the machine learning analysis. 10. A system for detecting a suspicious process in an operating system environment, the system comprising: a hardware processor configured to: generate a file honeypot in a directory in a file system; receive a directory enumeration request from a process executing in the operating system environment; determine whether the process is identified in a list of trusted processes; in response to determining that the process is not in the list of trusted processes, provide, to the process by the file system, a file list including the file honeypot responsive to the directory enumeration request; intercept, by a file system filter driver, a file modification request for the file honeypot from the process; and identify the process as a suspicious object responsive to intercepting the file modification request from the process. 11. The system of claim 10 , wherein the hardware processor is further configured to: in response to determining that the process is in the list of trusted processes, provide, to the process by the file system, a file list excluding the file honeypot responsive to the directory enumeration request. 12. The system of claim 10 , wherein the hardware processor is further configured to determine whether the process is identified in the list of trusted processes is based on one or more of a certificate, fingerprint, name, and process identifier. 13. The system of claim 10 , wherein the hardware processor is further configured to generate the file honeypot further by at least one of: creating a special file corresponding to the file honeypot in the directory; and updating the file list to add a filename of the special file at a first position of the file list. 14. The system of claim 10 , wherein the hardware processor is further configured to generate the file honeypot by: adding a filename of a nonexistent file to the file list associated with the directory. 15. The system of claim 10 , wherein the hardware processor is further configured to: assign to the generated file honeypot a filename having at least one steganographic element. 16. The system of claim 10 , wherein the hardware processor is further configured to: modify a file attribute of the generated file honeypot to indicate a hidden file. 17. The system of claim 10 , wherein the hardware processor is further configured to generate the file honeypot by: generating the file honeypot according to a template that specifies a document type and one or more file naming rules comprising at least one steganographic element. 18. The system of claim 10 , wherein the hardware processor is further configured to: responsive to receiving the directory enumeration request, perform a machine learning analysis on a stack trace of the directory enumeration request using machine learning; and add a file honeypot to the provided file list responsive to the directory enumeration request based on the machine learning analysis. 19. A non-transitory computer readable medium storing thereon computer executable instructions for detecting a suspicious process in an operating system environment, including instructions for: generating a file honeypot in a directory in a file system; receiving a directory enumeration request from a process executing in the operating system environment; determining whether the process is identified in a list of trusted processes; in response to determining that the process is not in the list of trusted processes, providing, to the process by the file system, a file list including the file honeypot responsive to the directory enumeration request; intercepting, by a file system filter driver, a file modification request for the file honeypot from the process; and identifying the process as a suspicious object responsive to intercepting the file modification request from the process.