Hidden File System

Information

• Name: Hidden File System

• ID: T1564.005

• Tactics: TA0005

• Technique: T1564

Introduction

Hidden File System (T1564.005) is a sub-technique within the MITRE ATT&CK framework, categorized under the "Hide Artifacts" technique (T1564). Attackers employ this technique to obscure file systems from security tools, forensic analysts, and users by manipulating file system structures or using specialized software. The goal is to conceal malicious data, tools, or payloads, making detection, analysis, and remediation significantly more challenging.

Deep Dive Into Technique

Attackers leveraging Hidden File Systems typically utilize advanced methods to conceal files, directories, or entire volumes from standard operating system tools and security software. Common technical implementations include:

• Alternate Data Streams (ADS):

  • Primarily used in NTFS file systems on Windows.

  • Attackers store malicious payloads or scripts within ADS, making them invisible to standard file explorers and command-line directory listings.

  • Example command to create ADS:

    Copy

    type malware.exe > legitimate.txt:malware.exe

• Rootkits and Kernel-Level Manipulation:

  • Rootkits may intercept and modify system calls to hide files or directories from standard system utilities.

  • Kernel-mode rootkits hook into system APIs, preventing file enumeration and detection by antivirus software.

  • Attackers may modify or patch kernel drivers to achieve file system concealment.

• Hidden Partitions and Volumes:

  • Attackers can create hidden partitions or encrypted volumes that do not mount automatically and remain invisible to standard OS utilities.

  • Tools like TrueCrypt/VeraCrypt can create hidden encrypted volumes inside standard encrypted containers, making discovery challenging without specific decryption keys or forensic analysis.

• File System Metadata Manipulation:

  • Attackers may manipulate file system metadata (such as Master File Table entries in NTFS) to hide files from directory listings.

  • Techniques include altering file attributes, timestamps, or directory pointers, rendering files invisible to standard OS utilities.

When this Technique is Usually Used

Hidden File System techniques are typically employed across various stages of cyber-attacks, including:

• Persistence:

  • Attackers hide persistent malware or backdoors to evade detection and maintain long-term access.

  • Hidden files or partitions ensure attackers can regain access even after initial detection and removal attempts.

• Defense Evasion:

  • Concealing malicious payloads, tools, scripts, or exfiltrated data to avoid detection by antivirus, endpoint detection and response (EDR) solutions, or forensic investigations.

  • Attackers commonly use hidden file systems to evade routine security scans and audits.

• Data Exfiltration and Storage:

  • Attackers temporarily store sensitive data within hidden file systems before exfiltration.

  • Hidden encrypted volumes or partitions provide secure staging areas for exfiltrated data, reducing detection risk.

• Credential and Tool Storage:

  • Attackers store credentials, scripts, or exploitation tools within hidden file system areas to prevent detection and facilitate lateral movement or privilege escalation.

How this Technique is Usually Detected

Detecting hidden file systems typically requires specialized tools, techniques, and monitoring solutions. Common detection methods include:

• File System Forensics and Analysis Tools:

  • Use forensic tools (FTK, EnCase, Sleuth Kit, Autopsy) to analyze file system structures and identify hidden partitions, volumes, or ADS.

  • Regular forensic analysis can uncover discrepancies in file system metadata or unexpected file system anomalies.

• Kernel-Level Monitoring and Integrity Checks:

  • Employ kernel-integrity monitoring tools (Rootkit detectors, Sysinternals Suite, GMER, RootkitRevealer) to detect kernel-level file hiding techniques.

  • Monitor kernel APIs and system calls for suspicious hooking or interception behaviors.

• Behavioral Analysis and Endpoint Detection Solutions:

  • Endpoint Detection and Response (EDR) solutions can detect suspicious file system behaviors, such as unusual file creation, attribute modifications, or ADS usage.

  • Behavioral analytics and anomaly detection can flag hidden file system activities as suspicious.

• Regular Scanning for Alternate Data Streams:

  • Use specialized utilities (Streams.exe from Sysinternals) to scan and detect hidden ADS content.

  • Example detection command:

    Copy

    streams.exe -s C:\

• Indicators of Compromise (IoCs):

  • Presence of unusual or unauthorized file system drivers or kernel modules.

  • Unexpected hidden partitions or encrypted volumes detected during forensic disk analysis.

  • Files exhibiting unusual attributes or timestamps indicating tampering.

  • Detection of ADS containing executable or script payloads.

Why it is Important to Detect This Technique

Early detection of Hidden File Systems is critical due to their severe implications for organizational security:

• Persistent Threat Presence:

  • Hidden file systems enable attackers to maintain persistent, undetected access, prolonging compromise duration and increasing damage potential.

• Data Exfiltration Risks:

  • Hidden encrypted volumes or ADS may store sensitive or proprietary information, facilitating stealthy data exfiltration and intellectual property theft.

• Compromise of System Integrity:

  • Kernel-level rootkits and file system manipulation severely undermine system integrity, reliability, and trustworthiness, complicating remediation and recovery efforts.

• Challenges in Incident Response:

  • Hidden file systems significantly hinder forensic investigations and incident response, delaying containment, eradication, and recovery processes.

  • Early detection reduces response complexity and accelerates recovery timelines.

• Regulatory and Compliance Implications:

  • Failure to detect hidden file systems containing sensitive data may result in regulatory non-compliance, legal repercussions, and reputational damage.

Examples

Real-world examples of Hidden File System usage include:

• Duqu Malware (ADS Usage):

  • Duqu malware leveraged Alternate Data Streams to conceal payloads and configuration data.

  • ADS allowed Duqu to evade standard file system scans and antivirus detection, enabling persistent espionage activities.

• ZeroAccess Rootkit (Kernel-Level File Hiding):

  • ZeroAccess employed kernel-mode rootkit techniques to intercept system calls and hide malicious files and directories.

  • The rootkit concealed its presence from standard OS utilities, complicating detection and remediation efforts.

• Equation Group Malware (Hidden Encrypted Partitions):

  • Equation Group malware created hidden encrypted partitions on victim systems to store persistent implants, tools, and exfiltrated data.

  • Hidden partitions remained undetected by standard monitoring tools, enabling long-term espionage campaigns.

• Havex Malware (ADS and Metadata Manipulation):

  • Havex malware utilized ADS and file system metadata manipulation to conceal payloads and configuration files from detection.

  • This technique allowed Havex to maintain stealthy persistence and evade endpoint security solutions.

• Turla APT (Hidden File System Techniques):

  • Turla APT group frequently used hidden file system techniques, including ADS and kernel-level rootkits, to maintain long-term persistence and evade detection.

  • Turla's advanced file hiding methods complicated detection, forensic analysis, and incident response efforts.