隐藏文件和隐藏目录

为了防止普通用户意外更改系统上的特殊文件，大多数操作系统都具有“隐藏”文件的概念。当用户使用GUI浏览文件系统或在命令行上使用常规命令时，这些文件不会显示。用户必须通过一系列图形用户界面（GUI）提示或使用命令行开关（dir/a对于Windows以及ls –a的Linux和macOS）明确要求显示隐藏文件。

攻击者可以利用此优势来隐藏系统上任何位置的文件和文件夹，以实现持久性，并逃避不包含对隐藏文件的调查的典型用户或系统分析。

Hidden Files and Directories

To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS).

Adversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files.

windows

用户可以使用attrib.exe二进制文件将特定文件标记为隐藏。只需attrib +h filename将文件或文件夹标记为隐藏即可。同样，“ + s”将文件标记为系统文件，“ + r”标志将文件标记为只读。像大多数Windows二进制文件一样，attrib.exe二进制文件提供了以递归方式“ / S”应用这些更改的功能。

Users can mark specific files as hidden by using the attrib.exe binary. Simply do attrib +h filename to mark a file or folder as hidden. Similarly, the "+s" marks a file as a system file and the "+r" flag marks the file as read only. Like most windows binaries, the attrib.exe binary provides the ability to apply these changes recursively "/S".

Linux / Mac

用户只需将“.”标记为隐藏即可将其标记为隐藏。作为文件或文件夹名称的第一个字符 。默认情况下，以“。”开头的文件和文件夹在Finder应用程序和标准命令行实用程序（如“ ls”）中不会隐藏。用户必须专门更改设置才能查看这些文件。对于命令行用法，通常会有一个标志来查看所有文件（包括隐藏文件）。要在Finder应用程序中查看这些文件，必须执行以下命令：defaults write com.apple.finder AppleShowAllFiles YES，然后重新启动Finder应用程序。

Users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name . Files and folder that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like "ls". Users must specifically change settings to have these files viewable. For command line usages, there is typically a flag to see all files (including hidden ones). To view these files in the Finder Application, the following command must be executed: defaults write com.apple.finder AppleShowAllFiles YES, and then relaunch the Finder Application.

苹果电脑

可以使用UF_HIDDEN标志标记macOS上的文件，这可以防止在Finder.app中看到它们，但仍然允许在Terminal.app 中看到它们。许多应用程序都会创建这些隐藏的文件和文件夹来存储信息，以便不会使用户的工作区变得混乱。例如，SSH实用程序创建一个.ssh文件夹，该文件夹已隐藏并且包含用户的已知主机和密钥。

Files on macOS can be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app . Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.

标签

ID编号： T1158

策略： 绕过防御，持久化

平台： Linux，macOS，Windows

所需权限：user

数据源： 文件监视，过程监视，过程命令行参数

绕过防御： 主机取证分析

缓解措施

这种攻击技术无法通过预防性控制轻松缓解，因为它基于滥用系统功能。

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

检测

监视文件系统和Shell命令，以查找带有前导 "."”的文件。和Windows命令行使用attrib.exe添加隐藏属性。

Monitor the file system and shell commands for files being created with a leading "." and the Windows command-line use of attrib.exe to add the hidden attribut