T1158 - Hidden Files and Directories
To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a
for Windows andls –a
for Linux and macOS).Adversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files.
Users can mark specific files as hidden by using the attrib.exe binary. Simply do
attrib +h filename
to mark a file or folder as hidden. Similarly, the “+s” marks a file as a system file and the “+r” flag marks the file as read only. Like most windows binaries, the attrib.exe binary provides the ability to apply these changes recursively “/S”.Users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folder that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable. For command line usages, there is typically a flag to see all files (including hidden ones). To view these files in the Finder Application, the following command must be executed:
defaults write com.apple.finder AppleShowAllFiles YES
, and then relaunch the Finder Application.Files on macOS can be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.
Atomic Test #1 - Create a hidden file in a hidden directory
Creates a hidden file inside a hidden directory
Supported Platforms: Linux, macOS
mkdir .hidden-directory
echo "this file is hidden" > .hidden-directory/.hidden-file
Atomic Test #2 - Mac Hidden file
Hide a file on MacOS
Supported Platforms: macOS
sudo xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF FF 00 00"
Atomic Test #3 - Hidden file
mv file to a .file
Supported Platforms: macOS, Linux
Name | Description | Type | Default Value |
---|---|---|---|
filename | path of file to hide | path | /tmp/evil |
output_filename | output path of file | path | /tmp/evil |
mv #{filename} .#{output_filename}
Creates a file and marks it as a system file using the attrib.exe utility.
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
filename | path of file to mark as system | path | C:\Windows\Temp\sensitive_file.txt |
attrib.exe +s #{filename}
Atomic Test #5 - Create Windows Hidden File with Attrib
Creates a file and marks it as hidden using the attrib.exe utility.
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
filename | path of file to mark as hidden | path | C:\Windows\Temp\sensitive_file.txt |
attrib.exe +h #{filename}
Atomic Test #6 - Hidden files
Requires Apple Dev Tools
Supported Platforms: macOS
Name | Description | Type | Default Value |
---|---|---|---|
filename | path of file to hide | path | /tmp/evil |
setfile -a V #{filename}
Hide a directory on MacOS
Supported Platforms: macOS
Name | Description | Type | Default Value |
---|---|---|---|
filename | path of file to hide | path | /tmp/evil |
chflags hidden #{filename}
Atomic Test #8 - Show all hidden files
Show all hidden files on MacOS
Supported Platforms: macOS
defaults write com.apple.finder AppleShowAllFiles YES
Create visible directories on MacOS and Linux
Supported Platforms: macOS, Linux
mkdir visible-directory
echo "this file is visible" > visible-directory/visible-file
ls
ls visible-directory
Atomic Test #10 - Create hidden directories and files
Create hidden directories and files on Nix platforms
Supported Platforms: macOS, Linux
mkdir .hidden-directory
echo "this file is hidden" > .hidden-directory/.hidden-file
ls -la
ls -la .hidden-directory
Create an Alternate Data Stream with the command prompt. Write access is required.
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
file_name | File name of file to create ADS on. | string | test.txt |
ads_filename | Name of ADS file. | string | adstest.txt |
echo "test" > #{file_name}:#{ads_filename}
echo "test" > :#{ads_filename}
dir /s /r | find ":$DATA"
Create an Alternate Data Stream with PowerShell. Write access is required.
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
file_name | File name of file to create ADS on. | string | test.txt |
ads_filename | Name of ADS file. | string | adstest.txt |
echo "test" > #{file_name} | set-content -path test.txt -stream #{ads_filename} -value "test"
set-content -path #{file_name} -stream #{ads_filename} -value "test2"
set-content -path . -stream #{ads_filename} -value "test3"
ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname