Hello and welcome to this course in which we're talking about Python for defense evasion. In this video, we're going to be talking about the hide artifacts technique in the miter attack framework. We're going to be looking at how we can apply Python code to achieve this particular technique, to reach the goal of evading defenses on a target system. When an attacker has access to a system, one of their primary goals is to remain undetected as long as possible. The reason for this is that if they're detected on the system, a defender might take steps to eliminate or limit their ability to achieve their objectives on the system. For example, if your malware gets deleted before it's able to encrypt the files on the system, then the ransomware attack that you're performing isn't that effective. The longer that you can hide, the more you can achieve, and the harder it is to remediate the impacts of the attack. On a target system, there's a number of different things that can reveal an attacker's presence. You might have simple files like configuration files or output files where you're storing data. For example, if you're performing a large-scale data breach, it's often difficult to exfiltrate massive amounts of data from the network without detection. A common way to address this issue is to zip the files and then try to export the compressed files. If you're creating massive zip files on the system that contains sensitive data, there's a possibility that that file creation and compression process is going to raise some alarm bells. I mean, at the simplest, if you're making a absolutely massive zip file, there's the chance that you'll use up all of the available memory on computer. The user's going to notice that they can't save something or that their computer's running slowly and start to investigate. Another potential indication of attackers presence on the network is malware executables. While there are fileless malware, many types of malware are reliant on files, and those files need to be saved on the file system and then executed, which places them in memory as well. The detection of these malicious executables is how a lot of antivirus programs work. You've seen them run, they scan the file system, say that they've inspected however many thousands of files, and then they provide you at the end with a list of malicious or suspicious files that you can quarantine. This detection of malicious executables can allow a target system to identify and eliminate an attackers presence. Then thirdly, there's the potential that user accounts under the attackers control might reveal the attackers presence on the system. If you create a user account for persistence, privilege escalation, lateral movement, et cetera. The fact that there's this new user account that wasn't maybe created or approved by the system administrator might reveal your presence. With all of these potential indications of the attackers presence on the system, it's important for an attacker to take step to try to hide some of these artifacts. Doing so makes the attacker harder to detect. More difficult but not impossible, because if you think about it, if there's a file, whether a text file, executable, et cetera, or a user account on the system, it has to exist on the system somewhere. However, it could exist there in a way that makes it harder for the average end-user or the average antivirus to detect. For example, when we're seeing our list of sub techniques for hide artifacts, at the right side of the screen, we see things like hidden files and directories. You can set a file to hide in Windows Explorer. However, there's also a setting for show hidden files that makes them easy to find. There's a variety of other ways to hide data on the system. We're discussing this technique of hide artifacts here because we're going to be looking at how we can use alternate data streams or ADS on the Windows file system to hide the presence of malicious files, executables, et cetera, on the system using Python. In the next video, we'll demonstrate how to access alternate data streams using Python and what we're able to do with this hidden storage. Thank you.
