T1158 - Hidden Files and Directories
To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (
dir /afor Windows and
ls –afor Linux and macOS).
Adversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files.
Users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folder that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable. For command line usages, there is typically a flag to see all files (including hidden ones). To view these files in the Finder Application, the following command must be executed:
defaults write com.apple.finder AppleShowAllFiles YES, and then relaunch the Finder Application.
How to Detect
Simulating the attack
mv file to a .file
Data sources required to detect the attack
find the hidden files/dirs from certain directory paths like (/home/$user) and dump it to a location and ingest the file and look for any malicious hidden files (scripted input to the Splunk)
Splunk Queries to detect the attack
There are 2 ways by which we can capture this
index=linux sourcetype=bash_history bash_command="mkdir .*" | table host,user_name,bash_command
index=linux sourcetype=bash_history bash_command="mv * .*" | table host,user_name,bash_command
find_hidden_files.sh script can be run on a regular interval and check for any suspecious file creation. A whitelist can be craeted to filter out the standard hidden files/directories in a linux system.
find /home/ -name ".*" find /home/ -type d -name ".*" find /home/ -type f -name ".*"