Powered By GitBook
Hidden Files
Defense Evasion, Persistence

Execution

Hiding the file mantvydas.sdb using a native windows binary:
1
PS C:\experiments> attrib.exe +h .\mantvydas.sdb
Copied!
Note how powershell (or cmd) says the file does not exist, however you can type out its contents if you know the file exists:
Note, that dir /a:h (attribute: hidden) reveals files with a "hidden" attribute set:

Observations

As usual, monitoring commandline arguments may be a good idea if you want to identify these events:

References

Hide Artifacts: Hidden Files and Directories, Sub-technique T1564.001 - Enterprise | MITRE ATT&CK®
Last modified 2yr ago