Hidden Files and Directories

PreviousFile/Path Exclusions NextT1222: File Directory Permissions Modification

Last updated 2 months ago

Was this helpful?

Hidden Files and Directories

Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a "hidden" file. These files don't show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls -a for Linux and macOS).

On Linux and Mac, users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name. Files and folders that start with a period, '.' are by default hidden from being viewed in the Finder application and standard command-line utilities like "ls". Users must specifically change settings to have these files viewable.

Files on macOS can also be marked with the UF_HIDDEN FLAG which prevents them from being seen in Finder.app but still allows them to be seen in Terminal.app. On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn't clutter up the user's workspace. For example, SSH utilities create a .ssh folder that's hidden and contains the user's known hosts and keys.

Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.

Example:

here we will hide some folders to avoid detection, since these folders by default are not commonly viewable in the GUI unless activated, or not even in the command-line or PowerShell unless intended.

I will hide a folder named Payloads in this example which has my payload to connect back to my attacking machine.

Here we can see it is perfectly viewable.

Now let's hide it.

The great thing about this is that as long as you have the correct permissions on a folder then you can hide it, same goes for a file.

If I search it with cmd it won't show as well.

Unless I intend to search it with the "/a" flag

Linux

A demonstration of how files with the ".' at the start of their names are considered hidden files, a regular directory listing will not show these folders unless specifically calling the parameter that shows these directories

PreviousFile/Path Exclusions NextT1222: File Directory Permissions Modification

Last updated 2 months ago

Was this helpful?

Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.

Example:

here we will hide some folders to avoid detection, since these folders by default are not commonly viewable in the GUI unless activated, or not even in the command-line or PowerShell unless intended.

I will hide a folder named Payloads in this example which has my payload to connect back to my attacking machine.

Here we can see it is perfectly viewable.

Now let's hide it.

The great thing about this is that as long as you have the correct permissions on a folder then you can hide it, same goes for a file.

If I search it with cmd it won't show as well.

Unless I intend to search it with the "/a" flag