Home/ATT&CK Technique/Hidden Files and Directories
ATT&CK Technique

Hidden Files and Directories

T1564.001 · stealth

Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line.

Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls -a for Linux and macOS). On Linux and Mac, users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name. Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”.

Users must specifically change settings to have these files viewable. Files on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app. On Windows, users can mark specific files as hidden by using the attrib.exe binary.

Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys. Additionally, adversaries may name files in a manner that would allow the file to be hidden such as naming a file only a “space” character.

Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.

LinuxmacOSWindows

Actors Using This

14
iranAgrius
chinaAoqin Dragon
chinaAPT17
russiaAPT28
chinaAPT3
chinaAPT40
chinaAquatic Panda
private_mercenaryBahamut
indiaBitter
chinaBlackTech
russiaCloud Atlas
chinaDaggerfly
lebanonDark Caracal
chinaDark Pink

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
initial-access same
T1456 · Drive-By Compromise ×4.67
persistence same
T1137.001 · Office Template Macros ×3.50
privilege-escalation same
T1134.001 · Token Impersonation/Theft ×3.89
credential-access same
T1552.002 · Credentials in Registry ×3.50
discovery same
T1426 · System Information Discovery ×4.67T1422 · System Network Configuration Discovery ×3.63
collection same
T1417 · Input Capture ×4.08
command-and-control same
T1437 · Application Layer Protocol ×4.67T1437.001 · Web Protocols ×4.67T1102.001 · Dead Drop Resolver ×3.24
exfiltration same
T1030 · Data Transfer Size Limits ×3.33
other same
T1221 · Template Injection ×4.67T1564.003 · Hidden Window ×4.53T1027.009 · Embedded Payloads ×4.00T1564.004 · NTFS File Attributes ×3.50

Atomic Tests

10
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
shlinux, macosCreate a hidden file in a hidden directory
Creates a hidden file inside a hidden directory 
mkdir /var/tmp/.hidden-directory
echo "T1564.001" > /var/tmp/.hidden-directory/.hidden-file
shmacosMac Hidden file
Hide a file on MacOS 
xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF FF 00 00"
command_promptelevatedwindowsCreate Windows System File with Attrib
Creates a file and marks it as a system file using the attrib.exe utility. Upon execution, open the file in file explorer then open Properties > Details and observe that the Attributes are "SA" for System and Archive. 
attrib.exe +s #{file_to_modify}
command_promptelevatedwindowsCreate Windows Hidden File with Attrib
Creates a file and marks it as hidden using the attrib.exe utility.Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file and observe that the Attributes are "SH" for System and Hidden. 
attrib.exe +h #{file_to_modify}
shmacosHidden files
Requires Apple Dev Tools 
setfile -a V #{filename}
shmacosHide a Directory
Hide a directory on MacOS 
touch /var/tmp/T1564.001_mac.txt
chflags hidden /var/tmp/T1564.001_mac.txt
shmacosShow all hidden files
Show all hidden files on MacOS 
defaults write com.apple.finder AppleShowAllFiles YES
command_promptelevatedwindowsHide Files Through Registry
Disable Show Hidden files switch in registry. This technique was abused by several malware to hide their files from normal user. See how this trojan abuses this technique - https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Tiotua-P/detailed-analysis.aspx 
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden /t REG_DWORD /d 0 /f
powershellelevatedwindowsCreate Windows Hidden File with powershell
Creates a file and marks it as hidden through powershell. Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file and observe that the Attributes is "H" Hidden. 
$file = Get-Item $env:temp\T1564.001-9.txt -Force
$file.attributes='Hidden'
powershellelevatedwindowsCreate Windows System File with powershell
Creates a file and marks it as System through powershell. Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file and observe that the Attributes is "S" System. 
$file = Get-Item $env:temp\T1564.001-10.txt -Force
$file.attributes='System'

Detection Coverage

2/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 7
Analytics (MITRE CAR) none
Runtime / container (Falco) 1
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Falco Runtime Rules

1
Container / Linux runtime detections that fire on this technique.
NOTICECreate Hidden Files or Directories
Detecting hidden files or directories creation can serve as an auditing rule to track general system changes. Such rules can be noisy and challenging to interpret, particularly if your system frequently undergoes updates. However, careful profiling of your environment can transform this rule into an effective rule for detecting unusual behavior associated with system changes, including compliance-related cases.
view condition
((modify and evt.arg.newpath contains "/.") or
 (mkdir and evt.arg.path contains "/.") or
 (open_write and evt.arg.flags contains "O_CREAT" and fd.name contains "/." and not fd.name pmatch (exclude_hidden_directories)))
and not user_known_create_hidden_file_activities and not exe_running_docker_save
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin