Detection: Hidden File Access

Overview

Detect attempts to access hidden files and directories, including version control repositories, configuration files, and other sensitive resources not intended for public access. These files often contain sensitive information that can be exploited for further attacks.

Attackers target hidden files and directories that may contain sensitive information such as version control repositories (.git, .svn) which can expose source code and commit history, configuration files (.env, .htaccess, .htpasswd) which may contain credentials and security settings, hidden system files (.DS_Store, .bash_history) which can reveal system information, development environment files (.vscode, .idea) which may contain project secrets, and infrastructure configuration files (docker-compose.yml, Dockerfile, kubeconfig) which reveal architecture details. These files are often unintentionally exposed due to misconfiguration or oversight during deployment.

When this detection triggers, security teams should verify whether the access attempt was successful, review which hidden files were targeted and what sensitive information they may contain, remove or properly secure access to hidden files and directories, configure web servers to block access to hidden files, implement proper .gitignore files and deployment processes to prevent exposure, check for credentials or secrets that may have been exposed and rotate them, and consider implementing Git hooks to prevent committing sensitive files. Some legitimate scenarios may trigger this detection, including version control integrations that legitimately access repository files, development tools that check for configuration files, content management systems with special handling for hidden files, and administrative tools that manage server configuration files.

References:

• OWASP: Reviewing Code for Version Control Systems Leakage
• CWE-527: Exposure of Version-Control Repository to an Unauthorized Control Sphere
• Git-Secrets: Preventing sensitive information from being committed
• OWASP File Upload Security Guide
• MITRE ATT&CK: File and Directory Discovery (T1083)

Usage

Run the detection in your terminal:

powerpipe detection run apache_access_log_detections.detection.hidden_file_access

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run apache_access_log_detections.detection.hidden_file_access --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
request_method as operation,
request_uri as resource,
status,
http_user_agent as actor,
tp_source_ip as source_ip,
tp_id as source_id,
-- Create new aliases to preserve original row data
status as status_src,
timestamp as timestamp_src,
*
exclude (status, timestamp)

from
  apache_access_log
where
  request_uri is not null
  and (
    -- Common hidden files and directories
    request_uri ilike '%/.git/%'
    or request_uri ilike '%/.svn/%'
    or request_uri ilike '%/.DS_Store%'
    or request_uri ilike '%/.htpasswd%'
    or request_uri ilike '%/.npmrc%'
    or request_uri ilike '%/.env%'
    or request_uri ilike '%/.aws/%'
    or request_uri ilike '%/.ssh/%'
    or request_uri ilike '%/.bash_history%'
    or request_uri ilike '%/.htaccess%'
    or request_uri ilike '%/.htpasswd%'
    or request_uri ilike '%/.config/%'
    or request_uri ilike '%/.vscode/%'
    or request_uri ilike '%/.idea/%'
    -- Docker/Kubernetes files
    or request_uri ilike '%/docker-compose%'
    or request_uri ilike '%/Dockerfile%'
    or request_uri ilike '%/kubernetes/%'
    or request_uri ilike '%/kubeconfig%'
  )
order by
  tp_timestamp desc;

Tags