πŸ““
πŸ““
πŸ““
πŸ““
Red Team Notes 2.0
Search…
πŸ““
πŸ““
πŸ““
πŸ““
Red Team Notes 2.0
Introduction
Red Team
Red Team Techniques
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
T1497: Virtualization/Sandbox Evasion
T1550: Use Alternate Authentication Material
T1127: Trusted Developer Utilities Proxy Execution
T1221: Template Injection
T1553: Subvert Trust Controls
T1216: Signed Script Proxy Execution
T1218: Signed Binary Proxy Execution
T1055: Process Injection
T0127: Obfuscated Files or Information
T1036: Masquerading
T1202: Indirect Command Execution
T1562: Impair Defenses
T1070: Indicator Removal on Host
T1574: Hijack Execution Flow
T1564: Hide Artifacts
VBA Stomping
Run Virtual Instance
NTFS File Attributes
Hidden Window
Hidden Files and Directories
T1222: File Directory Permissions Modification
T1480: Execution Guardrails
T1197: BITS Jobs
T1134: Access Token Manipulation
T1548: Abuse Elevation Control Mechanism
De-obfuscate/Decode Files or Information
Credential Access
Discovery
Lateral Movement
Active Directory
Active Directory
Active Directory Attacks
Red Team Infrastructure
RED TEAM INFRASTRUCTURE
Domain Name and Categorization
Reconnaissance
Weaponization
Delivery
Situational Awareness
Credential Dumping
Persistence
Defense Evasion
Privilege Escalation
Lateral Movement
Powered By GitBook
Hidden Files and Directories
Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a "hidden" file. These files don't show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls -a for Linux and macOS).
On Linux and Mac, users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name. Files and folders that start with a period, '.' are by default hidden from being viewed in the Finder application and standard command-line utilities like "ls". Users must specifically change settings to have these files viewable.
Files on macOS can also be marked with the UF_HIDDEN FLAG which prevents them from being seen in Finder.app but still allows them to be seen in Terminal.app. On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn't clutter up the user's workspace. For example, SSH utilities create a .ssh folder that's hidden and contains the user's known hosts and keys.
Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.
Example:
here we will hide some folders to avoid detection, since these folders by default are not commonly viewable in the GUI unless activated, or not even in the command-line or PowerShell unless intended.
I will hide a folder named Payloads in this example which has my payload to connect back to my attacking machine.
Here we can see it is perfectly viewable.
Now let's hide it.
The great thing about this is that as long as you have the correct permissions on a folder then you can hide it, same goes for a file.
If I search it with cmd it won't show as well.
Unless I intend to search it with the "/a" flag
Previous
Hidden Window
Next
T1222: File Directory Permissions Modification
Last modified 1yr ago
Copy link