Hidden Files and Directories

Information

• Name: Hidden Files and Directories

• ID: T1564.001

• Tactics: TA0005

• Technique: T1564

Introduction

Hidden Files and Directories (T1564.001) is a sub-technique within the MITRE ATT&CK framework under the "Hide Artifacts" technique (T1564). This technique involves adversaries creating or modifying files and directories to conceal their presence, evade detection, and maintain persistence within compromised environments. Attackers often leverage hidden files and directories to store malicious payloads, scripts, configuration files, or exfiltrated data, making it challenging for security analysts and automated security tools to identify and remediate threats.

Deep Dive Into Technique

Adversaries commonly leverage hidden files and directories by exploiting file system attributes and operating system behaviors to obscure malicious activities. The following methods detail common approaches:

• Unix/Linux Systems:

  • Files and directories prefixed with a period (.) are hidden by default from standard directory listings, e.g., .bash_history, .ssh, .config.

  • Attackers may create hidden directories in legitimate paths, such as user home directories (~/.config), /tmp, /var/tmp, or /dev/shm.

  • File attributes may also be manipulated using commands like chattr +i (immutable) or chattr +a (append-only) to prevent modification or deletion and further evade detection.

• Windows Systems:

  • Adversaries use file attributes to hide files/directories by setting the "Hidden" or "System" attributes using commands such as attrib +h +s malicious.exe.

  • Files or directories may also be placed in system directories or hidden AppData folders (%AppData%, %ProgramData%), making them less visible to casual inspection.

  • Attackers may create directories or files with names similar to legitimate system components or hidden file extensions to confuse users and analysts.

• File System and NTFS Alternate Data Streams (ADS):

  • Attackers can leverage NTFS ADS to attach malicious payloads to legitimate files, effectively hiding them from standard directory listings and casual inspection.

• Encoding and Obfuscation:

  • Attackers may employ encoding or obfuscation techniques in filenames or directory names to avoid detection by pattern-based or signature-based detection tools.

When this Technique is Usually Used

This sub-technique is typically employed at various stages of a cyberattack lifecycle, including:

• Persistence: Attackers hide malicious scripts, binaries, or scheduled tasks to maintain long-term access to compromised systems.

• Defense Evasion: Concealing artifacts helps adversaries evade detection by endpoint detection and response (EDR) solutions, antivirus software, and manual inspections.

• Credential Access and Privilege Escalation: Attackers may store harvested credentials, password hashes, or privilege escalation scripts in hidden files or directories to avoid detection.

• Collection and Exfiltration: Hidden directories and files may store sensitive data temporarily before exfiltration, reducing the likelihood of detection during data theft operations.

• Lateral Movement: Attackers may use hidden directories and files to store tools, scripts, or payloads needed to move laterally within compromised networks.

How this Technique is Usually Detected

Detection of hidden files and directories requires a combination of proactive monitoring, automated tooling, and manual inspection:

• Filesystem Auditing:

  • Regularly audit file systems for hidden files/directories by scanning for file attributes (e.g., hidden or system attributes on Windows, dot-prefixed files on Unix/Linux).

  • Use automated scripts or tools like PowerShell, Python, or Bash scripts to regularly enumerate and log hidden files and directories.

• Endpoint Detection and Response (EDR) Solutions:

  • EDR solutions can monitor filesystem events, attribute changes, and suspicious file creations, alerting analysts to hidden artifacts.

  • Behavioral analytics and machine learning-based detection can identify anomalous file creation or attribute modification activities.

• Security Information and Event Management (SIEM):

  • SIEM solutions can aggregate logs from endpoints and file servers to identify unusual file creation or modification patterns indicative of hidden files/directories.

  • Correlate filesystem events with other indicators of compromise (IoCs) such as suspicious network connections or process activities.

• Indicators of Compromise (IoCs):

  • Unexpected hidden files/directories in user home directories, temporary folders, system directories, or application data folders.

  • Presence of NTFS Alternate Data Streams (ADS) on critical system files.

  • Suspicious filenames or directory names mimicking legitimate system components or using obfuscation techniques.

Why it is Important to Detect This Technique

Detecting hidden files and directories is crucial due to several potential impacts on organizations:

• Persistence and Long-Term Compromise:

  • Hidden artifacts allow attackers to maintain long-term access, enabling prolonged compromise and increased risk of data theft or damage.

• Data Exfiltration and Theft:

  • Hidden directories often store sensitive data temporarily, facilitating covert exfiltration and increasing the risk of data breaches.

• Evasion of Security Controls:

  • Attackers leverage hidden files to evade detection by traditional antivirus and endpoint security solutions, increasing the difficulty of threat detection and response.

• Credential Theft and Privilege Escalation:

  • Hidden files may contain stolen credentials or scripts for privilege escalation, enabling attackers to escalate privileges and compromise additional systems within the network.

• Operational and Reputational Impact:

  • Undetected hidden artifacts can lead to extended compromise durations, resulting in significant operational disruption, financial losses, regulatory penalties, and reputational harm.

Early detection and remediation of hidden files and directories significantly reduce the risk of advanced persistent threats (APTs), data breaches, and operational disruption.

Examples

Real-world examples illustrating the usage of hidden files and directories in cyberattacks include:

• Linux Malware Campaigns:

  • Attackers frequently employ hidden directories such as .ssh, .config, or .cache within user home directories to store malicious scripts, SSH keys, or cryptocurrency mining payloads.

  • Example: Linux malware "Skidmap" creates hidden directories and files to store malicious kernel modules and cryptocurrency mining software.

• Windows-based Attacks:

  • Attackers often use hidden files with system attributes to conceal payloads or scripts in directories like %AppData%, %ProgramData%, or temporary folders.

  • Example: The banking trojan "TrickBot" has been observed using hidden files with system attributes to evade detection and maintain persistence on infected Windows systems.

• NTFS Alternate Data Streams (ADS):

  • Attackers can embed malicious executables or scripts within NTFS ADS, hiding them from traditional directory listings and file explorers.

  • Example: The "PowerDuke" malware campaign leveraged NTFS ADS to store malicious payloads and evade endpoint detection systems.

• Advanced Persistent Threat (APT) Groups:

  • State-sponsored threat actors frequently use hidden directories and files to store reconnaissance scripts, backdoors, or exfiltrated data.

  • Example: APT28 (Fancy Bear) has been known to leverage hidden directories to store malicious payloads and scripts during targeted espionage campaigns.

These examples demonstrate the widespread use of hidden files and directories by adversaries across various operating systems and attack scenarios, highlighting the importance of proactive detection and mitigation strategies.