T1564.001 - Hidden Files and Directories#
Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS).
On Linux and Mac, users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable.
Files on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.
Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.
Atomic Tests#
Atomic Test #1 - Create a hidden file in a hidden directoryCreates a hidden file inside a hidden directory#
Supported Platforms: linux, macos#### Attack Commands: Run with sh
mkdir /var/tmp/.hidden-directory
echo "T1564.001" > /var/tmp/.hidden-directory/.hidden-file
Invoke-AtomicTest T1564.001 -TestNumbers 1
Cleanup:#
rm -rf /var/tmp/.hidden-directory/
Invoke-AtomicTest T1564.001 -TestNumbers 1 -Cleanup
Atomic Test #2 - Mac Hidden fileHide a file on MacOS#
Supported Platforms: macos#### Attack Commands: Run with sh
xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF FF 00 00"
Invoke-AtomicTest T1564.001 -TestNumbers 2
Atomic Test #3 - Create Windows System File with Attrib#
Creates a file and marks it as a system file using the attrib.exe utility. Upon execution, open the file in file explorer then open Properties > Details and observe that the Attributes are “SA” for System and Archive.
Supported Platforms: windows
Elevation Required (e.g. root or admin)
Dependencies: Run with command_prompt!#
Description: The file must exist on disk at specified location (#{file_to_modify})#
Check Prereq Commands:#
IF EXIST %temp%\T1564.001.txt ( EXIT 0 ) ELSE ( EXIT 1 )
Get Prereq Commands:#
echo system_Attrib_T1564.001 >> %temp%\T1564.001.txt
Invoke-AtomicTest T1564.001 -TestNumbers 3 -GetPreReqs
Attack Commands: Run with command_prompt#
attrib.exe +s %temp%\T1564.001.txt
Invoke-AtomicTest T1564.001 -TestNumbers 3
Cleanup:#
del /A:S %temp%\T1564.001.txt >nul 2>&1
Invoke-AtomicTest T1564.001 -TestNumbers 3 -Cleanup
Atomic Test #4 - Create Windows Hidden File with Attrib#
Creates a file and marks it as hidden using the attrib.exe utility.Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file and observe that the Attributes are “SH” for System and Hidden.
Supported Platforms: windows
Elevation Required (e.g. root or admin)
Dependencies: Run with command_prompt!#
Description: The file must exist on disk at specified location (#{file_to_modify})#
Check Prereq Commands:#
IF EXIST %temp%\T1564.001.txt ( EXIT 0 ) ELSE ( EXIT 1 )
Get Prereq Commands:#
echo system_Attrib_T1564.001 >> %temp%\T1564.001.txt
Invoke-AtomicTest T1564.001 -TestNumbers 4 -GetPreReqs
Attack Commands: Run with command_prompt#
attrib.exe +h %temp%\T1564.001.txt
Invoke-AtomicTest T1564.001 -TestNumbers 4
Cleanup:#
del /A:H %temp%\T1564.001.txt >nul 2>&1
Invoke-AtomicTest T1564.001 -TestNumbers 4 -Cleanup
Atomic Test #5 - Hidden filesRequires Apple Dev Tools#
Supported Platforms: macos#### Attack Commands: Run with sh
setfile -a V /tmp/evil
Invoke-AtomicTest T1564.001 -TestNumbers 5
Atomic Test #6 - Hide a DirectoryHide a directory on MacOS#
Supported Platforms: macos#### Attack Commands: Run with sh
touch /var/tmp/T1564.001_mac.txt
chflags hidden /var/tmp/T1564.001_mac.txt
Invoke-AtomicTest T1564.001 -TestNumbers 6
Cleanup:#
rm /var/tmp/T1564.001_mac.txt
Invoke-AtomicTest T1564.001 -TestNumbers 6 -Cleanup
Atomic Test #7 - Show all hidden filesShow all hidden files on MacOS#
Supported Platforms: macos#### Attack Commands: Run with sh
defaults write com.apple.finder AppleShowAllFiles YES
Invoke-AtomicTest T1564.001 -TestNumbers 7
Cleanup:#
defaults write com.apple.finder AppleShowAllFiles NO
Invoke-AtomicTest T1564.001 -TestNumbers 7 -Cleanup
Atomic Test #8 - Hide Files Through RegistryDisable Show Hidden files switch in registry. This technique was abused by several malware to hide their files from normal user.#
See how this trojan abuses this technique - https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Tiotua-P/detailed-analysis.aspx
Supported Platforms: windows
Elevation Required (e.g. root or admin)#### Attack Commands: Run with command_prompt
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden /t REG_DWORD /d 0 /f
Invoke-AtomicTest T1564.001 -TestNumbers 8
Cleanup:#
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /f >nul 2>&1
Invoke-AtomicTest T1564.001 -TestNumbers 8 -Cleanup
Atomic Test #9 - Create Windows Hidden File with powershell#
Creates a file and marks it as hidden through powershell. Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file and observe that the Attributes is “H” Hidden.
Supported Platforms: windows
Elevation Required (e.g. root or admin)
Dependencies: Run with command_prompt!#
Description: The file must exist on disk at specified location (#{file_to_modify})#
Check Prereq Commands:#
IF EXIST %temp%\T1564.001-9.txt ( EXIT 0 ) ELSE ( EXIT 1 )
Get Prereq Commands:#
echo system_Attrib_T1564.001-9 >> %temp%\T1564.001-9.txt
Invoke-AtomicTest T1564.001 -TestNumbers 9 -GetPreReqs
Attack Commands: Run with powershell#
$file = Get-Item $env:temp\T1564.001-9.txt -Force
$file.attributes='Hidden'
Invoke-AtomicTest T1564.001 -TestNumbers 9
Cleanup:#
cmd /c 'del /A:H %temp%\T1564.001-9.txt >nul 2>&1'
Invoke-AtomicTest T1564.001 -TestNumbers 9 -Cleanup
Atomic Test #10 - Create Windows System File with powershell#
Creates a file and marks it as System through powershell. Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file and observe that the Attributes is “S” System.
Supported Platforms: windows
Elevation Required (e.g. root or admin)
Dependencies: Run with command_prompt!#
Description: The file must exist on disk at specified location (#{file_to_modify})#
Check Prereq Commands:#
IF EXIST %temp%\T1564.001-10.txt ( EXIT 0 ) ELSE ( EXIT 1 )
Get Prereq Commands:#
echo system_Attrib_T1564.001-10 >> %temp%\T1564.001-10.txt
Invoke-AtomicTest T1564.001 -TestNumbers 10 -GetPreReqs
Attack Commands: Run with powershell#
$file = Get-Item $env:temp\T1564.001-10.txt -Force
$file.attributes='System'
Invoke-AtomicTest T1564.001 -TestNumbers 10
Cleanup:#
cmd /c 'del /A:H %temp%\T1564.001-10.txt >nul 2>&1'
Invoke-AtomicTest T1564.001 -TestNumbers 10 -Cleanup
Detection#
Monitor the file system and shell commands for files being created with a leading “.” and the Windows command-line use of attrib.exe to add the hidden attribute.