MITRE ATT&CK Technique
Defense Evasion T1158
Description

To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS). Adversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files. ### Windows Users can mark specific files as hidden by using the attrib.exe binary. Simply do <code>attrib +h filename</code> to mark a file or folder as hidden. Similarly, the “+s” marks a file as a system file and the “+r” flag marks the file as read only. Like most windows binaries, the attrib.exe binary provides the ability to apply these changes recursively “/S”. ### Linux/Mac Users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folder that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable. For command line usages, there is typically a flag to see all files (including hidden ones). To view these files in the Finder Application, the following command must be executed: <code>defaults write com.apple.finder AppleShowAllFiles YES</code>, and then relaunch the Finder Application. ### Mac Files on macOS can be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.

Supported Platforms
Linux macOS Windows
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2017-12-14T16:46:06.044Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'To prevent normal users from accidentally changing special '
                'files on a system, most operating systems have the concept of '
                'a ‘hidden’ file. These files don’t show up when a user '
                'browses the file system with a GUI or when using normal '
                'commands on the command line. Users must explicitly ask to '
                'show the hidden files either via a series of Graphical User '
                'Interface (GUI) prompts or with command line switches '
                '(<code>dir /a</code> for Windows and <code>ls –a</code> for '
                'Linux and macOS).\n'
                '\n'
                'Adversaries can use this to their advantage to hide files and '
                'folders anywhere on the system for persistence and evading a '
                'typical user or system analysis that does not incorporate '
                'investigation of hidden files.\n'
                '\n'
                '### Windows\n'
                '\n'
                'Users can mark specific files as hidden by using the '
                'attrib.exe binary. Simply do <code>attrib +h filename</code> '
                'to mark a file or folder as hidden. Similarly, the “+s” marks '
                'a file as a system file and the “+r” flag marks the file as '
                'read only. Like most windows binaries, the attrib.exe binary '
                'provides the ability to apply these changes recursively '
                '“/S”.\n'
                '\n'
                '### Linux/Mac\n'
                '\n'
                'Users can mark specific files as hidden simply by putting a '
                '“.” as the first character in the file or folder name  '
                '(Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac '
                'Malware). Files and folder that start with a period, ‘.’, are '
                'by default hidden from being viewed in the Finder application '
                'and standard command-line utilities like “ls”. Users must '
                'specifically change settings to have these files viewable. '
                'For command line usages, there is typically a flag to see all '
                'files (including hidden ones). To view these files in the '
                'Finder Application, the following command must be executed: '
                '<code>defaults write com.apple.finder AppleShowAllFiles '
                'YES</code>, and then relaunch the Finder Application.\n'
                '\n'
                '### Mac\n'
                '\n'
                'Files on macOS can be marked with the UF_HIDDEN flag which '
                'prevents them from being seen in Finder.app, but still allows '
                'them to be seen in Terminal.app (Citation: WireLurker).\n'
                'Many applications create these hidden files and folders to '
                'store information so that it doesn’t clutter up the user’s '
                'workspace. For example, SSH utilities create a .ssh folder '
                'that’s hidden and contains the user’s known hosts and keys.',
 'external_references': [{'external_id': 'T1158',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1158'},
                         {'description': 'Dani Creus, Tyler Halfpop, Robert '
                                         'Falcone. (2016, September 26). '
                                         "Sofacy's 'Komplex' OS X Trojan. "
                                         'Retrieved July 8, 2017.',
                          'source_name': 'Sofacy Komplex Trojan',
                          'url': 'https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/'},
                         {'description': 'Thomas Reed. (2017, January 18). New '
                                         'Mac backdoor using antiquated code. '
                                         'Retrieved July 5, 2017.',
                          'source_name': 'Antiquated Mac Malware',
                          'url': 'https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/'},
                         {'description': 'Claud Xiao. (n.d.). WireLurker: A '
                                         'New Era in iOS and OS X Malware. '
                                         'Retrieved July 10, 2017.',
                          'source_name': 'WireLurker',
                          'url': 'https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf'}],
 'id': 'attack-pattern--dc27c2ec-c5f9-4228-ba57-d67b590bda93',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'defense-evasion'},
                       {'kill_chain_name': 'mitre-attack',
                        'phase_name': 'persistence'}],
 'modified': '2025-10-24T17:49:28.772Z',
 'name': 'Hidden Files and Directories',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': True,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
 'x_mitre_version': '1.1'}
Quick Actions
Edit TTP Update from Web
Back to TTPs
Dashboard About