Try it using Invoke-Atomic

Hide Artifacts: Hidden Files and Directories

Description from ATT&CK

Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS).

On Linux and Mac, users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable.

Files on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.

Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files. https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/

Atomic Tests

Atomic Test #1 - Create a hidden file in a hidden directory

Creates a hidden file inside a hidden directory

Supported Platforms: linux,macos

auto_generated_guid: 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be

Inputs:

None

Attack Commands: Run with sh!

1
2
3
mkdir /var/tmp/.hidden-directory
echo "T1564.001" > /var/tmp/.hidden-directory/.hidden-file

Cleanup Commands:

1
2
rm -rf /var/tmp/.hidden-directory/

Atomic Test #2 - Mac Hidden file

Hide a file on MacOS

Supported Platforms: macos

auto_generated_guid: cddb9098-3b47-4e01-9d3b-6f5f323288a9

Inputs:

None

Attack Commands: Run with sh!

1
2
xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF FF 00 00"

Atomic Test #3 - Create Windows System File with Attrib

Creates a file and marks it as a system file using the attrib.exe utility. Upon execution, open the file in file explorer then open Properties > Details and observe that the Attributes are "SA" for System and Archive.

Supported Platforms: windows

auto_generated_guid: f70974c8-c094-4574-b542-2c545af95a32

Inputs:

Name Description Type Default Value
file_to_modify File to modify using Attrib command string %temp%\T1564.001.txt

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
2
attrib.exe +s #{file_to_modify}

Cleanup Commands:

1
2
del /A:S #{file_to_modify} >nul 2>&1

Dependencies: Run with command_prompt!

Description: The file must exist on disk at specified location (#{file_to_modify})

Check Prereq Commands:

1
2
IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )

Get Prereq Commands:

1
2
echo system_Attrib_T1564.001 >> #{file_to_modify}

Atomic Test #4 - Create Windows Hidden File with Attrib

Creates a file and marks it as hidden using the attrib.exe utility.Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file and observe that the Attributes are "SH" for System and Hidden.

Supported Platforms: windows

auto_generated_guid: dadb792e-4358-4d8d-9207-b771faa0daa5

Inputs:

Name Description Type Default Value
file_to_modify File to modify using Attrib command string %temp%\T1564.001.txt

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
2
attrib.exe +h #{file_to_modify}

Cleanup Commands:

1
2
del /A:H #{file_to_modify} >nul 2>&1

Dependencies: Run with command_prompt!

Description: The file must exist on disk at specified location (#{file_to_modify})

Check Prereq Commands:

1
2
IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )

Get Prereq Commands:

1
2
echo system_Attrib_T1564.001 >> #{file_to_modify}

Atomic Test #5 - Hidden files

Requires Apple Dev Tools

Supported Platforms: macos

auto_generated_guid: 3b7015f2-3144-4205-b799-b05580621379

Inputs:

Name Description Type Default Value
filename path of file to hide path /tmp/evil

Attack Commands: Run with sh!

1
2
setfile -a V #{filename}

Atomic Test #6 - Hide a Directory

Hide a directory on MacOS

Supported Platforms: macos

auto_generated_guid: b115ecaf-3b24-4ed2-aefe-2fcb9db913d3

Inputs:

None

Attack Commands: Run with sh!

1
2
3
touch /var/tmp/T1564.001_mac.txt
chflags hidden /var/tmp/T1564.001_mac.txt

Cleanup Commands:

1
2
rm /var/tmp/T1564.001_mac.txt

Atomic Test #7 - Show all hidden files

Show all hidden files on MacOS

Supported Platforms: macos

auto_generated_guid: 9a1ec7da-b892-449f-ad68-67066d04380c

Inputs:

None

Attack Commands: Run with sh!

1
2
defaults write com.apple.finder AppleShowAllFiles YES

Cleanup Commands:

1
2
defaults write com.apple.finder AppleShowAllFiles NO

source