ID | F0005 |
Objective(s) | Defense Evasion, Persistence |
Related ATT&CK Techniques | Hide Artifacts: Hidden Files and Directories (T1564.001) |
Version | 2.0 |
Created | 1 August 2019 |
Last Modified | 21 November 2022 |
Hidden Files and Directories
Malware may hide files and folders to avoid detection and/or to persist on the system. See potential methods below.
See ATT&CK: Hide Artifacts: Hidden Files and Directories (T1564.001).
Name | ID | Description |
---|---|---|
Attribute | F0005.003 | Malware may change or choose an attribute to hide a file or directory. |
Extension | F0005.001 | Malware may change or use a particular file extension to hide a file. |
Location | F0005.002 | Malware may change or choose the location of itself, another file, or a directory to prevent detection. |
Timestamp | F0005.004 | Malware may change the timestamp on a file to prevent detection. |
Name | Date | Method | Description |
---|---|---|---|
GotBotKR | 2019 | -- | GoBotKR stores itself in a file with Hidden and System attributes. [1] |
Shamoon | 2012 | -- | Modifies target files' time to August 2012 as an antiforensic trick [2] |
CHOPSTICK | 2015 | -- | CHOPSTICK creates a hidden file for temporary storage [3] |
[1] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
[2] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/
[] https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf