Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Скрытые файлы и каталоги
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Скрытые файлы и каталоги
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Hide Artifacts:  Скрытые файлы и каталоги

ID Название
.001 Скрытые файлы и каталоги
.002 Скрытые пользователи
.003 Скрытое окно
.004 Атрибуты файла NTFS
.005 Скрытая файловая система
.006 Запуск виртуальной машины
.007 Сокрытие в скомпилированном VBA-коде
.008 Правила для сокрытия писем
.009 Разветвление ресурсов
.010 Подмена аргументов процесса

Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS). On Linux and Mac, users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable. Files on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys. Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.

ID: T1564.001
Относится к технике:  T1564
Тактика(-и): Defense Evasion
Платформы: Linux, macOS, Windows
Требуемые разрешения: User
Источники данных: Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Версия: 1.0
Дата создания: 26 Feb 2020
Последнее изменение: 29 Mar 2020

Примеры процедур
Название Описание
XCSSET

XCSSET uses a hidden folder named .xcassets and .git to embed itself in Xcode.(Citation: trendmicro xcsset xcode project 2020)
APT28

APT28 has saved files with hidden file attributes.(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)
Clambling

Clambling has the ability to set its file attributes to hidden.(Citation: Trend Micro DRBControl February 2020)
WastedLocker

WastedLocker has copied a random file from the Windows System32 folder to the %APPDATA% location under a different hidden filename.(Citation: NCC Group WastedLocker June 2020)
PlugX

PlugX can modify the characteristics of folders to hide them from the compromised user.(Citation: Proofpoint TA416 Europe March 2022)
Lazarus Group

Lazarus Group has used a VBA Macro to set its file attributes to System and Hidden and has named files with a dot prefix to hide them from the Finder application.(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)(Citation: Lazarus APT January 2022)
CoinTicker

CoinTicker downloads the following hidden files to evade detection and maintain persistence: /private/tmp/.info.enc, /private/tmp/.info.py, /private/tmp/.server.sh, ~/Library/LaunchAgents/.espl.plist, ~/Library/Containers/.[random string]/[random string].(Citation: CoinTicker 2019)
Mustang Panda

Mustang Panda's PlugX variant has created a hidden folder on USB drives named RECYCLE.BIN to store malicious executables and collected data.(Citation: Avira Mustang Panda January 2020)
PoetRAT

PoetRAT has the ability to hide and unhide files.(Citation: Talos PoetRAT April 2020)
AppleJeus

AppleJeus has added a leading . to plist filenames, unlisting them from the Finder app and default Terminal directory listings.(Citation: CISA AppleJeus Feb 2021)
OSX/Shlayer

OSX/Shlayer has executed a .command script from a hidden directory in a mounted DMG.(Citation: Carbon Black Shlayer Feb 2019)
Tropic Trooper

Tropic Trooper has created a hidden directory under C:\ProgramData\Apple\Updates\ and C:\Users\Public\Documents\Flash\.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: TrendMicro Tropic Trooper May 2020)
ThiefQuest

ThiefQuest hides a copy of itself in the user's ~/Library directory by using a . at the beginning of the file name followed by 9 random characters.(Citation: wardle evilquest parti)
Rocke

Rocke downloaded a file "libprocesshider", which could hide files on the target system.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)
LoudMiner

LoudMiner has set the attributes of the VirtualBox directory and VBoxVmService parent directory to "hidden".(Citation: ESET LoudMiner June 2019)
QuasarRAT

QuasarRAT has the ability to set file attributes to "hidden" to hide files from the compromised user's view in Windows File Explorer.(Citation: CISA AR18-352A Quasar RAT December 2018)
OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D sets the main loader file’s attributes to hidden.(Citation: TrendMicro MacOS April 2018)
InvisiMole

InvisiMole can create hidden system directories.(Citation: ESET InvisiMole June 2020)
EnvyScout

EnvyScout can use hidden directories and files to hide malicious executables.(Citation: MSTIC Nobelium Toolset May 2021)
Imminent Monitor

Imminent Monitor has a dynamic debugging feature to set the file attribute to hidden.(Citation: QiAnXin APT-C-36 Feb2019)
ccf32

ccf32 has created a hidden directory on targeted systems, naming it after the current local time (year, month, and day).(Citation: Bitdefender FunnyDream Campaign November 2020)
Ixeshe

Ixeshe sets its own executable file's attributes to hidden.(Citation: Trend Micro IXESHE 2012)
MacSpy

MacSpy stores itself in ~/Library/.DS_Stores/ (Citation: alientvault macspy)
Transparent Tribe

Transparent Tribe can hide legitimate directories and replace them with malicious copies of the same name.(Citation: Kaspersky Transparent Tribe August 2020)
Okrum

Before exfiltration, Okrum's backdoor has used hidden files to store logs and outputs from backdoor commands.(Citation: ESET Okrum July 2019)
Agent Tesla

Agent Tesla has created hidden folders.(Citation: SentinelLabs Agent Tesla Aug 2020)
Carberp

Carberp has created a hidden file in the Startup folder of the current user.(Citation: Trusteer Carberp October 2010)
WannaCry

WannaCry uses attrib +h to make some of its files hidden.(Citation: LogRhythm WannaCry)
NETWIRE

NETWIRE can copy itself to and launch itself from hidden folders.(Citation: Red Canary NETWIRE January 2020)
Lokibot

Lokibot has the ability to copy itself to a hidden file and directory.(Citation: Infoblox Lokibot January 2019)
iKitten

iKitten saves itself with a leading "." so that it's hidden from users by default.(Citation: objsee mac malware 2017)
SysUpdate

SysUpdate has the ability to set file attributes to hidden.(Citation: Trend Micro Iron Tiger April 2021)
FruitFly

FruitFly saves itself with a leading "." to make it a hidden file.(Citation: objsee mac malware 2017)
BackConfig

BackConfig has the ability to set folders or files to be hidden from the Windows Explorer default view.(Citation: Unit 42 BackConfig May 2020)
Attor

Attor can set attributes of log files and directories to HIDDEN, SYSTEM, ARCHIVE, or a combination of those.(Citation: ESET Attor Oct 2019)
APT32

APT32's macOS backdoor hides the clientID file via a chflags function.(Citation: ESET OceanLotus macOS April 2019)
Calisto

Calisto uses a hidden directory named .calisto to store data from the victim’s machine before exfiltration.(Citation: Securelist Calisto July 2018)(Citation: Symantec Calisto July 2018)
Explosive

Explosive has commonly set file and path attributes to hidden.(Citation: CheckPoint Volatile Cedar March 2015)
Micropsia

Micropsia creates a new hidden directory to store all components' outputs in a dedicated sub-folder for each.(Citation: Radware Micropsia July 2018)
Dacls

Dacls has had its payload named with a dot prefix to make it hidden from view in the Finder application.(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)
Rising Sun

Rising Sun can modify file attributes to hide files.(Citation: McAfee Sharpshooter December 2018)
Komplex

The Komplex payload is stored in a hidden directory at /Users/Shared/.local/kextd.(Citation: Sofacy Komplex Trojan)
SLOTHFULMEDIA

SLOTHFULMEDIA has been created with a hidden attribute to insure it's not visible to the victim.(Citation: CISA MAR SLOTHFULMEDIA October 2020)
Machete

Machete has the capability to exfiltrate stolen data to a hidden folder on a removable drive.(Citation: ESET Machete July 2019)

Обнаружение

Monitor the file system and shell commands for files being created with a leading "." and the Windows command-line use of attrib.exe to add the hidden attribute.

Ссылки

  1. Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.
  2. Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.
  3. Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
  4. Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.
  5. CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022.
  6. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
  7. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  8. Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020.
  9. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
  10. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  11. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
  12. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  13. Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
  14. Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020.
  15. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  16. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
  17. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
  18. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  19. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  20. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  21. Horejsi, J., et al. (2018, March 14). Tropic Trooper’s New Strategy. Retrieved November 9, 2018.
  22. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  23. PETER EWANE. (2017, June 9). MacSpy: OS X RAT as a Service. Retrieved September 21, 2018.
  24. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
  25. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  26. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
  27. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  28. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  29. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  30. Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
  31. Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.
  32. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
  33. Patrick Wardle. (2020, June 29). OSX.EvilQuest Uncovered part i: infection, persistence, and more!. Retrieved March 18, 2021.
  34. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  35. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  36. Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020.
  37. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
  38. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  39. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
  40. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
  41. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
  42. Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020.
  43. Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
  44. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  45. Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020.
  46. Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.
  47. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.
  48. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  49. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.
  50. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.