T1564.001: Hidden Files and Directories

Data from MITRE ATT&CK®:

Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS).

On Linux and Mac, users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable.

Files on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.

Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Command Execution (Command)

The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )

File Creation (File)

Initial construction of a new file (ex: Sysmon EID 11)

File Metadata (File)

Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.

Process Creation (Process)

The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)

Create Windows Hidden File with Attrib

windows

Show all hidden files

macos

Create Windows System File with Attrib

windows

Mac Hidden file

macos

Hide a Directory

macos

Create Windows Hidden File with powershell

windows

Create Windows System File with powershell

windows

Create a hidden file in a hidden directory

linux macos

Hide Files Through Registry

windows

Hidden files

macos

Displaying Hidden Files Feature Disabled

windows registry set

Hiding Files with Attrib.exe

windows process creation

Hidden Files and Directories

linux

Registry Persistence via Service in Safe Mode

windows registry set

Use Icacls to Hide File to Everyone

windows process creation

Set Files as System Files Using Attrib.EXE

windows process creation

PowerShell Logging Disabled Via Registry Key Tampering

windows registry set

Set Suspicious Files as System Files Using Attrib.EXE

windows process creation