Description
Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS).
On Linux and Mac, users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable.
Files on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.
Additionally, adversaries may name files in a manner that would allow the file to be hidden such as naming a file only a “space” character.
Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.
Platforms
Threat Groups (12)
| ID | Group | Context |
|---|---|---|
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has saved files with hidden file attributes.(Citation: Talos Seduploader Oct 2017)(Citation: Talos Sedu... |
| G1039 | RedCurl | [RedCurl](https://attack.mitre.org/groups/G1039) added the “hidden” file attribute to original files, manipulating victims to click on malicious LNK f... |
| G1014 | LuminousMoth | [LuminousMoth](https://attack.mitre.org/groups/G1014) has used malware to store malicious binaries in hidden directories on victim's USB drives.(Citat... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has used a VBA Macro to set its file attributes to System and Hidden and has named files with a... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129)'s [PlugX](https://attack.mitre.org/software/S0013) variant has created a hidden folder on USB d... |
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has created a hidden directory under <code>C:\ProgramData\Apple\Updates\</code> and <code>C:\U... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has used `attrib +h “C:\ProgramData\ssh”` to make the SSH folder hidden.(Citation: BlackBerry_FIN7_April... |
| G0106 | Rocke | [Rocke](https://attack.mitre.org/groups/G0106) downloaded a file "libprocesshider", which could hide files on the target system.(Citation: Talos Rocke... |
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has created hidden files and folders within a compromised Linux system `/tmp` directory. [FIN13](https:... |
| G0134 | Transparent Tribe | [Transparent Tribe](https://attack.mitre.org/groups/G0134) can hide legitimate directories and replace them with malicious copies of the same name.(Ci... |
| G0125 | HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has hidden files on a compromised host.(Citation: Rapid7 HAFNIUM Mar 2021) |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050)'s macOS backdoor hides the clientID file via a chflags function.(Citation: ESET OceanLotus macOS April ... |
Associated Software (45)
| ID | Name | Type | Context |
|---|---|---|---|
| S0650 | QakBot | Malware | [QakBot](https://attack.mitre.org/software/S0650) has placed its payload in hidden subdirectories.(Citation: Trend Micro Black Basta October 2022) |
| S0658 | XCSSET | Malware | [XCSSET](https://attack.mitre.org/software/S0658) uses a hidden folder named <code>.xcassets</code> and <code>.git</code> to embed itself in Xcode.(Ci... |
| S1153 | Cuckoo Stealer | Malware | [Cuckoo Stealer](https://attack.mitre.org/software/S1153) has copied its binary and the victim's scraped password into a hidden folder in the `/Users`... |
| S0660 | Clambling | Malware | [Clambling](https://attack.mitre.org/software/S0660) has the ability to set its file attributes to hidden.(Citation: Trend Micro DRBControl February 2... |
| S0612 | WastedLocker | Malware | [WastedLocker](https://attack.mitre.org/software/S0612) has copied a random file from the Windows System32 folder to the <code>%APPDATA%</code> locati... |
| S0013 | PlugX | Malware | [PlugX](https://attack.mitre.org/software/S0013) can modify the characteristics of folders to hide them from the compromised user.(Citation: Proofpoin... |
| S0369 | CoinTicker | Malware | [CoinTicker](https://attack.mitre.org/software/S0369) downloads the following hidden files to evade detection and maintain persistence: /private/tmp/.... |
| S0428 | PoetRAT | Malware | [PoetRAT](https://attack.mitre.org/software/S0428) has the ability to hide and unhide files.(Citation: Talos PoetRAT April 2020) |
| S0584 | AppleJeus | Malware | [AppleJeus](https://attack.mitre.org/software/S0584) has added a leading <code>.</code> to plist filenames, unlisting them from the Finder app and def... |
| S1219 | REPTILE | Malware | [REPTILE](https://attack.mitre.org/software/S1219) has the ability to communicate with the kernel-mode component to hide files.(Citation: Google Cloud... |
| S0402 | OSX/Shlayer | Malware | [OSX/Shlayer](https://attack.mitre.org/software/S0402) has executed a .command script from a hidden directory in a mounted DMG.(Citation: Carbon Black... |
| S0595 | ThiefQuest | Malware | [ThiefQuest](https://attack.mitre.org/software/S0595) hides a copy of itself in the user's <code>~/Library</code> directory by using a <code>.</code> ... |
| S0451 | LoudMiner | Malware | [LoudMiner](https://attack.mitre.org/software/S0451) has set the attributes of the VirtualBox directory and VBoxVmService parent directory to "hidden"... |
| S0262 | QuasarRAT | Tool | [QuasarRAT](https://attack.mitre.org/software/S0262) has the ability to set file attributes to "hidden" to hide files from the compromised user's vie... |
| S0352 | OSX_OCEANLOTUS.D | Malware | [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) sets the main loader file’s attributes to hidden.(Citation: TrendMicro MacOS April 2018) |
| S0260 | InvisiMole | Malware | [InvisiMole](https://attack.mitre.org/software/S0260) can create hidden system directories.(Citation: ESET InvisiMole June 2020) |
| S1236 | CLAIMLOADER | Malware | [CLAIMLOADER](https://attack.mitre.org/software/S1236) has modified file attributes to remain hidden to a standard user.(Citation: 2025_IBM_PUBLOAD_TO... |
| S0634 | EnvyScout | Malware | [EnvyScout](https://attack.mitre.org/software/S0634) can use hidden directories and files to hide malicious executables.(Citation: MSTIC Nobelium Tool... |
| S0434 | Imminent Monitor | Tool | [Imminent Monitor](https://attack.mitre.org/software/S0434) has a dynamic debugging feature to set the file attribute to hidden.(Citation: QiAnXin APT... |
| S1043 | ccf32 | Malware | [ccf32](https://attack.mitre.org/software/S1043) has created a hidden directory on targeted systems, naming it after the current local time (year, mon... |
References
- Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.
- Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
- Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.
Frequently Asked Questions
What is T1564.001 (Hidden Files and Directories)?
T1564.001 is a MITRE ATT&CK technique named 'Hidden Files and Directories'. It belongs to the Stealth tactic(s). Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the conc...
How can T1564.001 be detected?
Detection of T1564.001 (Hidden Files and Directories) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1564.001?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1564.001?
Known threat groups using T1564.001 include: APT28, RedCurl, LuminousMoth, Lazarus Group, Mustang Panda, Tropic Trooper, FIN7, Rocke.