Skip to content

Latest commit

 

History

History
252 lines (175 loc) · 7.9 KB

T1158.md

File metadata and controls

252 lines (175 loc) · 7.9 KB

T1158 - Hidden Files and Directories

To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS).

Adversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files.

Windows

Users can mark specific files as hidden by using the attrib.exe binary. Simply do attrib +h filename to mark a file or folder as hidden. Similarly, the “+s” marks a file as a system file and the “+r” flag marks the file as read only. Like most windows binaries, the attrib.exe binary provides the ability to apply these changes recursively “/S”.

Linux/Mac

Users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folder that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable. For command line usages, there is typically a flag to see all files (including hidden ones). To view these files in the Finder Application, the following command must be executed: defaults write com.apple.finder AppleShowAllFiles YES, and then relaunch the Finder Application.

Mac

Files on macOS can be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.

Atomic Tests


Atomic Test #1 - Create a hidden file in a hidden directory

Creates a hidden file inside a hidden directory

Supported Platforms: Linux, macOS

Run it with sh!

mkdir .hidden-directory
echo "this file is hidden" > .hidden-directory/.hidden-file


Atomic Test #2 - Mac Hidden file

Hide a file on MacOS

Supported Platforms: macOS

Run it with sh!

sudo xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF FF 00 00"


Atomic Test #3 - Hidden file

mv file to a .file

Supported Platforms: macOS, Linux

Inputs

Name Description Type Default Value
filename path of file to hide path /tmp/evil
output_filename output path of file path /tmp/evil

Run it with sh!

mv #{filename} .#{output_filename}


Atomic Test #4 - Create Windows System File with Attrib

Creates a file and marks it as a system file using the attrib.exe utility.

Supported Platforms: Windows

Inputs

Name Description Type Default Value
filename path of file to mark as system path C:\Windows\Temp\sensitive_file.txt

Run it with command_prompt!

attrib.exe +s #{filename}


Atomic Test #5 - Create Windows Hidden File with Attrib

Creates a file and marks it as hidden using the attrib.exe utility.

Supported Platforms: Windows

Inputs

Name Description Type Default Value
filename path of file to mark as hidden path C:\Windows\Temp\sensitive_file.txt

Run it with command_prompt!

attrib.exe +h #{filename}


Atomic Test #6 - Hidden files

Requires Apple Dev Tools

Supported Platforms: macOS

Inputs

Name Description Type Default Value
filename path of file to hide path /tmp/evil

Run it with sh!

setfile -a V #{filename}


Atomic Test #7 - Hide a Directory

Hide a directory on MacOS

Supported Platforms: macOS

Inputs

Name Description Type Default Value
filename path of file to hide path /tmp/evil

Run it with sh!

chflags hidden #{filename}


Atomic Test #8 - Show all hidden files

Show all hidden files on MacOS

Supported Platforms: macOS

Run it with sh!

defaults write com.apple.finder AppleShowAllFiles YES


Atomic Test #9 - Create Visible Directories

Create visible directories on MacOS and Linux

Supported Platforms: macOS, Linux

Run it with sh!

mkdir visible-directory
echo "this file is visible" > visible-directory/visible-file
ls
ls visible-directory


Atomic Test #10 - Create hidden directories and files

Create hidden directories and files on Nix platforms

Supported Platforms: macOS, Linux

Run it with sh!

mkdir .hidden-directory
echo "this file is hidden" > .hidden-directory/.hidden-file
ls -la
ls -la .hidden-directory


Atomic Test #11 - Create ADS command prompt

Create an Alternate Data Stream with the command prompt. Write access is required.

Supported Platforms: Windows

Inputs

Name Description Type Default Value
file_name File name of file to create ADS on. string test.txt
ads_filename Name of ADS file. string adstest.txt

Run it with command_prompt!

echo "test" > #{file_name}:#{ads_filename}
echo "test" > :#{ads_filename}
dir /s /r | find ":$DATA"


Atomic Test #12 - Create ADS PowerShell

Create an Alternate Data Stream with PowerShell. Write access is required.

Supported Platforms: Windows

Inputs

Name Description Type Default Value
file_name File name of file to create ADS on. string test.txt
ads_filename Name of ADS file. string adstest.txt

Run it with powershell!

echo "test" > #{file_name} | set-content -path test.txt -stream #{ads_filename} -value "test"
set-content -path #{file_name} -stream #{ads_filename} -value "test2"
set-content -path . -stream #{ads_filename} -value "test3"
ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname