Closed
Description
Adversaries can use the concept of ‘hidden’ files (files that don’t show up unless explicitly asked to be seen) to hide files and folders anywhere on the system for persistence and to evade a typical user or system analysis that does not investigate hidden files.
Adding it as a PBA:
This attack technique would require attempting to create a hidden file/folder and then removing it by running a set of commands.
- LINUX: using a dot (".") before the name of the file/folder to make it hidden; see this
- WINDOWS: using the attrib command to make a file/folder hidden; see this
Mapping the technique to the ATT&CK matrix:
Follow this.