Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
48 lines (34 sloc) 2.53 KB

T1158 - Hidden Files and Directories

Description from ATT&CK

To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS).

Adversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files.

Linux/Mac

Users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folder that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable. For command line usages, there is typically a flag to see all files (including hidden ones). To view these files in the Finder Application, the following command must be executed: defaults write com.apple.finder AppleShowAllFiles YES, and then relaunch the Finder Application.

How to Detect

Simulating the attack

mkdir .hidden-directory
mv file to a .file

Data sources required to detect the attack

bash_history logs

find the hidden files/dirs from certain directory paths like (/home/$user) and dump it to a location and ingest the file and look for any malicious hidden files (scripted input to the Splunk)

Splunk Queries to detect the attack

There are 2 ways by which we can capture this

bash_history

index=linux sourcetype=bash_history bash_command="mkdir .*" | table host,user_name,bash_command
index=linux sourcetype=bash_history bash_command="mv * .*" | table host,user_name,bash_command

find_hidden_files.sh

find_hidden_files.sh script can be run on a regular interval and check for any suspecious file creation. A whitelist can be craeted to filter out the standard hidden files/directories in a linux system.

find /home/ -name ".*" 
find /home/ -type d -name ".*" 
find /home/ -type f -name ".*"

Caution

You can’t perform that action at this time.