T1564.001 - Hidden Files and Directories
Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /afor Windows andls –afor Linux and macOS).On Linux and Mac, users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable.
Files on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.
Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.
Atomic Test #1 - Create a hidden file in a hidden directory
Creates a hidden file inside a hidden directory
Supported Platforms: Linux, macOS
mkdir /var/tmp/.hidden-directory
echo "T1564.001" > /var/tmp/.hidden-directory/.hidden-filerm -rf /var/tmp/.hidden-directory/Atomic Test #2 - Mac Hidden file
Hide a file on MacOS
Supported Platforms: macOS
xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF FF 00 00"Creates a file and marks it as a system file using the attrib.exe utility. Upon execution, open the file in file explorer then open Properties > Details and observe that the Attributes are "SA" for System and Archive.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| file_to_modify | File to modify using Attrib command | string | %temp%\T1564.001.txt |
attrib.exe +s #{file_to_modify}del /A:S #{file_to_modify} >nul 2>&1IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 ) echo system_Attrib_T1564.001 >> #{file_to_modify}Atomic Test #4 - Create Windows Hidden File with Attrib
Creates a file and marks it as hidden using the attrib.exe utility.Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file and observe that the Attributes are "SH" for System and Hidden.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| file_to_modify | File to modify using Attrib command | string | %temp%\T1564.001.txt |
attrib.exe +h #{file_to_modify}del /A:H #{file_to_modify} >nul 2>&1IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 ) echo system_Attrib_T1564.001 >> #{file_to_modify}Atomic Test #5 - Hidden files
Requires Apple Dev Tools
Supported Platforms: macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| filename | path of file to hide | path | /tmp/evil |
setfile -a V #{filename}Hide a directory on MacOS
Supported Platforms: macOS
touch /var/tmp/T1564.001_mac.txt
chflags hidden /var/tmp/T1564.001_mac.txtrm /var/tmp/T1564.001_mac.txtAtomic Test #7 - Show all hidden files
Show all hidden files on MacOS
Supported Platforms: macOS
defaults write com.apple.finder AppleShowAllFiles YESdefaults write com.apple.finder AppleShowAllFiles NO