Skip to content

Latest commit

 

History

History
36 lines (20 loc) · 812 Bytes

File metadata and controls

36 lines (20 loc) · 812 Bytes
description
Defense Evasion, Persistence

Hidden Files

Execution

Hiding the file mantvydas.sdb using a native windows binary:

{% code title="attacker@victim" %}

PS C:\experiments> attrib.exe +h .\mantvydas.sdb

{% endcode %}

Note how powershell (or cmd) says the file does not exist, however you can type out its contents if you know the file exists:

Note, that dir /a:h (attribute: hidden) reveals files with a "hidden" attribute set:

Observations

As usual, monitoring commandline arguments may be a good idea if you want to identify these events:

References

{% embed url="https://attack.mitre.org/wiki/Technique/T1158" %}