Hide Artifacts: Hidden Files and Directories

Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS).

On Linux and Mac, users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name [1] [2]. Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like "ls". Users must specifically change settings to have these files viewable.

Files on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app [3]. On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.

Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.

ID: T1564.001
Sub-technique of:  T1564
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Permissions Required: User
Data Sources: File monitoring, Process command-line parameters, Process monitoring
Defense Bypassed: Host forensic analysis
Version: 1.0
Created: 26 February 2020
Last Modified: 29 March 2020

Procedure Examples

Name Description
APT28

APT28 has saved files with hidden file attributes.[15][15]

APT32

APT32's macOS backdoor hides the clientID file via a chflags function.[18]

Calisto

Calisto uses a hidden directory named .calisto to store data from the victim’s machine before exfiltration.[5][6]

CoinTicker

CoinTicker downloads the following hidden files to evade detection and maintain persistence: /private/tmp/.info.enc, /private/tmp/.info.py, /private/tmp/.server.sh, ~/Library/LaunchAgents/.espl.plist, ~/Library/Containers/.[random string]/[random string].[11]

FruitFly

FruitFly saves itself with a leading "." to make it a hidden file.[7]

iKitten

iKitten saves itself with a leading "." so that it's hidden from users by default.[7]

Ixeshe

Ixeshe sets its own executable file's attributes to hidden.[12]

Komplex

The Komplex payload is stored in a hidden directory at /Users/Shared/.local/kextd.[1]

Lazarus Group

A Lazarus Group VBA Macro sets its file attributes to System and Hidden.[16]

Machete

Machete has the capability to exfiltrate stolen data to a hidden folder on a removable drive.[14]

MacSpy

MacSpy stores itself in ~/Library/.DS_Stores/ [4]

Micropsia

Micropsia creates a new hidden directory to store all components' outputs in a dedicated sub-folder for each.[8]

OSX/Shlayer

OSX/Shlayer executes a .command script from a hidden directory in a mounted DMG.[13]

OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D sets the main loader file’s attributes to hidden.[9]

Tropic Trooper

Tropic Trooper has created a hidden directory under C:\ProgramData\Apple\Updates\.[17]

WannaCry

WannaCry uses attrib +h to make some of its files hidden.[10]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Monitor the file system and shell commands for files being created with a leading "." and the Windows command-line use of attrib.exe to add the hidden attribute.

References