Time
8 hours 28 minutes
Difficulty
Beginner
CEU/CPE
10

Video Transcription

00:00
hello and welcome to another application of the minor attack framework discussion today. We're looking at him and files and directories within the defensive Asian component of the minor attack framework.
00:13
So let's go ahead and look at our objectives for today's discussion.
00:17
So we're going to describe for you what hidden files and directories are and how those work with respect to actually hiding them
00:25
some mitigation techniques. And then we're going to get into some detection techniques.
00:30
So within minor the hidden files and directories, Vector is essentially where files that are typically hidden from in users
00:40
to prevent them from accidentally overriding or changing them
00:44
in this system are used to the advantage of the threat actor. All right, so they could use those components to hide files and folders on the systems for persistence or evading purpose. So if you're not outright looking for something that's hidden,
00:59
you're probably not going to look for it. And if you're an end user, chances are you're not looking forward at all.
01:04
So how do they do it? How can we do it? Well, Windows Systems has one way, and so you can use the attributes e X e which is just a binary to run the particular command here against the file name to hide the file. Now, you can also
01:23
mark the file is hidden,
01:25
and this allows you to hide the file now within the Mac or Lennox environment, putting a dot or a period at the beginning of the file name produces a file that will be hidden or a folder that will be hidden.
01:40
So, looking at an example in a Windows based system here, I just took a few snippets.
01:45
So I've got my directory here with my standard stuff. Right. But when I go in and change my permissions or I'm sorry, the
01:57
settings for viewing hidden files and folders to the show option
02:04
I now see the secret sauce data, which is as slightly transparent looking file or folder in this case. But I'm not able to see that when this particular component is unchecked. Oh, it is set to the do not show hidden files or folders
02:22
or drives. And so we could even go as far as the hide drives on the system.
02:27
So again, by the fault, you can't
02:30
search for these things.
02:34
You have to actually show him and 1000 folders, and then you can search for them. But it's not done by the phone.
02:39
Now. Some mitigation techniques here are going to be things like in user awareness training to prevent the likelihood that payloads get on the system
02:49
and then the implementation of least privilege
02:52
so that if a user is compromised, threat actors not able to use maybe scripts and things that needs to write folder structures or put files hidden files
03:04
in directories or areas that the end user would not otherwise be able to access some detection techniques. Here
03:13
we can look for commands that add the dot on the front of files and Lennox and Mac environments, especially, or when a command is used
03:23
with the attribute syntax. And so if we have a script that's running that tries to hide files now,
03:30
something else that we might be able to do here. If we're looking for known bad file names or were familiar with some indicators of compromise, we could probably turn on the hidden file function and do some searches across systems for those files. But that would be cumbersome.
03:49
But it's definitely something you could do to try to look for suspicious information.
03:53
So let's do a quick check on learning.
03:54
Hidden files are searchable by default. True or false?
04:01
All right, well, if you need some additional time, please pause the video. So by default, hidden files are not searchable.
04:10
That goes for both clinics based. And when his based systems. If you want to see hidden files and limits based systems, there's a string for that. And if you want to see hidden files and Windows based systems, you have to make those files viewable through the properties for essentially, you could go down to the bottom of your
04:30
thing here,
04:32
and I'll just, uh, pull it over to the side. But when I type Hidden says there, show him and files and folders
04:40
when we hit dinner.
04:42
As you can see here,
04:44
we just have to click,
04:46
show hidden files and hit apply, and then you can see hidden files on the system.
04:51
So, in summary of two days discussion, we described hidden files and directories again. This can be used is a mechanism for evading detection or trying to keep things secret. Squirrel on your secret sauce and heading away, we reviewed some mitigation techniques.
05:11
And then we did top detection techniques as
05:14
well. So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor