Skip to content

T1158: Hidden Files


Hiding the file mantvydas.sdb using a native windows binary:

{% code-tabs %} {% code-tabs-item title="attacker@victim" %}

PS C:\experiments> attrib.exe +h .\mantvydas.sdb
{% endcode-tabs-item %} {% endcode-tabs %}

Note how powershell or cmd says the file does not exist, however you can type out its contents if you know the file exists:

Note, that dir /a:h attribute: hidden reveals files with a "hidden" attribute set:


As usual, monitoring commandline arguments may be a good idea if you want to identify these events:


{% embed url="" %}