Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a
for Windows and ls –a
for Linux and macOS).
On Linux and Mac, users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name [1] [2]. Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like "ls". Users must specifically change settings to have these files viewable.
Files on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app [3]. On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.
Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.
ID | Name | Description |
---|---|---|
S0331 | Agent Tesla |
Agent Tesla has created hidden folders.[4] |
S0584 | AppleJeus |
AppleJeus has added a leading |
G0007 | APT28 | |
G0050 | APT32 |
APT32's macOS backdoor hides the clientID file via a chflags function.[7] |
S0438 | Attor |
Attor can set attributes of log files and directories to HIDDEN, SYSTEM, ARCHIVE, or a combination of those.[8] |
S0475 | BackConfig |
BackConfig has the ability to set folders or files to be hidden from the Windows Explorer default view.[9] |
S0274 | Calisto |
Calisto uses a hidden directory named .calisto to store data from the victim’s machine before exfiltration.[10][11] |
S0484 | Carberp |
Carberp has created a hidden file in the Startup folder of the current user.[12] |
S1043 | ccf32 |
ccf32 has created a hidden directory on targeted systems, naming it after the current local time (year, month, and day).[13] |
S0660 | Clambling |
Clambling has the ability to set its file attributes to hidden.[14] |
S1105 | COATHANGER |
COATHANGER creates and installs itself to a hidden installation directory.[15] |
S0369 | CoinTicker |
CoinTicker downloads the following hidden files to evade detection and maintain persistence: /private/tmp/.info.enc, /private/tmp/.info.py, /private/tmp/.server.sh, ~/Library/LaunchAgents/.espl.plist, ~/Library/Containers/.[random string]/[random string].[16] |
S1153 | Cuckoo Stealer |
Cuckoo Stealer has copied its binary and the victim's scraped password into a hidden folder in the |
S0497 | Dacls |
Dacls has had its payload named with a dot prefix to make it hidden from view in the Finder application.[19][20] |
S1111 | DarkGate |
DarkGate initial installation involves dropping several files to a hidden directory named after the victim machine name.[21] |
S0634 | EnvyScout |
EnvyScout can use hidden directories and files to hide malicious executables.[22] |
S0569 | Explosive |
Explosive has commonly set file and path attributes to hidden.[23] |
G1016 | FIN13 |
FIN13 has created hidden files and folders within a compromised Linux system |
S0277 | FruitFly |
FruitFly saves itself with a leading "." to make it a hidden file.[26] |
G0125 | HAFNIUM | |
S0278 | iKitten |
iKitten saves itself with a leading "." so that it's hidden from users by default.[26] |
S0434 | Imminent Monitor |
Imminent Monitor has a dynamic debugging feature to set the file attribute to hidden.[28] |
S0260 | InvisiMole |
InvisiMole can create hidden system directories.[29] |
S0015 | Ixeshe |
Ixeshe sets its own executable file's attributes to hidden.[30] |
S0162 | Komplex |
The Komplex payload is stored in a hidden directory at |
G0032 | Lazarus Group |
Lazarus Group has used a VBA Macro to set its file attributes to System and Hidden and has named files with a dot prefix to hide them from the Finder application.[31][19][20][32] |
S0447 | Lokibot |
Lokibot has the ability to copy itself to a hidden file and directory.[33] |
S0451 | LoudMiner |
LoudMiner has set the attributes of the VirtualBox directory and VBoxVmService parent directory to "hidden".[34] |
G1014 | LuminousMoth |
LuminousMoth has used malware to store malicious binaries in hidden directories on victim's USB drives.[35] |
S0409 | Machete |
Machete has the capability to exfiltrate stolen data to a hidden folder on a removable drive.[36] |
S0282 | MacSpy | |
S0339 | Micropsia |
Micropsia creates a new hidden directory to store all components' outputs in a dedicated sub-folder for each.[38] |
G0129 | Mustang Panda |
Mustang Panda's PlugX variant has created a hidden folder on USB drives named |
S0198 | NETWIRE |
NETWIRE can copy itself to and launch itself from hidden folders.[40] |
S0439 | Okrum |
Before exfiltration, Okrum's backdoor has used hidden files to store logs and outputs from backdoor commands.[41] |
S0402 | OSX/Shlayer |
OSX/Shlayer has executed a .command script from a hidden directory in a mounted DMG.[42] |
S0352 | OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D sets the main loader file’s attributes to hidden.[43] |
S0013 | PlugX |
PlugX can modify the characteristics of folders to hide them from the compromised user.[44] |
S0428 | PoetRAT | |
S0650 | QakBot | |
S0262 | QuasarRAT |
QuasarRAT has the ability to set file attributes to "hidden" to hide files from the compromised user's view in Windows File Explorer.[47] |
G1039 | RedCurl |
RedCurl added the "hidden" file attribute to original files, manipulating victims to click on malicious LNK files.[48][49] |
S0448 | Rising Sun |
Rising Sun can modify file attributes to hide files.[50] |
G0106 | Rocke |
Rocke downloaded a file "libprocesshider", which could hide files on the target system.[51][52] |
S0533 | SLOTHFULMEDIA |
SLOTHFULMEDIA has been created with a hidden attribute to insure it's not visible to the victim.[53] |
S0663 | SysUpdate |
SysUpdate has the ability to set file attributes to hidden.[54] |
S0595 | ThiefQuest |
ThiefQuest hides a copy of itself in the user's |
G0134 | Transparent Tribe |
Transparent Tribe can hide legitimate directories and replace them with malicious copies of the same name.[56] |
G0081 | Tropic Trooper |
Tropic Trooper has created a hidden directory under |
S0366 | WannaCry |
WannaCry uses |
S0612 | WastedLocker |
WastedLocker has copied a random file from the Windows System32 folder to the |
S0658 | XCSSET |
XCSSET uses a hidden folder named |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor the file system and shell commands for files being created with a leading "." and the Windows command-line use of attrib.exe to add the hidden attribute. |
DS0022 | File | File Creation |
Monitor the file system and shell commands for files being created with a leading "." |
File Metadata |
Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions may set files and directories to be hidden to evade detection mechanisms. |
||
DS0009 | Process | Process Creation |
Monitor newly executed processes that may set files and directories to be hidden to evade detection mechanisms. |