| ID | F0005 |
| Objective(s) | Defense Evasion, Persistence |
| Related ATT&CK Techniques | Hide Artifacts: Hidden Files and Directories (T1564.001) |
| Version | 2.0 |
| Created | 1 August 2019 |
| Last Modified | 21 November 2022 |
Hidden Files and Directories
Malware may hide files and folders to avoid detection and/or to persist on the system. See potential methods below.
See ATT&CK: Hide Artifacts: Hidden Files and Directories (T1564.001).
| Name | ID | Description |
|---|---|---|
| Attribute | F0005.003 | Malware may change or choose an attribute to hide a file or directory. |
| Extension | F0005.001 | Malware may change or use a particular file extension to hide a file. |
| Location | F0005.002 | Malware may change or choose the location of itself, another file, or a directory to prevent detection. |
| Timestamp | F0005.004 | Malware may change the timestamp on a file to prevent detection. |
| Name | Date | Method | Description |
|---|---|---|---|
| GotBotKR | 2019 | -- | GoBotKR stores itself in a file with Hidden and System attributes. [1] |
| Shamoon | 2012 | -- | Modifies target files' time to August 2012 as an antiforensic trick [2] |
| CHOPSTICK | 2015 | -- | CHOPSTICK creates a hidden file for temporary storage [3] |
[1] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
[2] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/
[] https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf