Covering tracks — Hiding files on Windows/Linux/MacOS

Introduction to hiding files

After gaining access to a system, a hacker commonly needs to cover their tracks in order to avoid detection. Many antiviruses operate by searching through the list of files stored on a computer’s filesystem and comparing them to signatures of known malware variants. If a hacker can conceal the existence of their files from an AV or other security tools, their probability of detection dramatically decreases.

Hiding files

When trying to hide files on a computer, there are a variety of different options. In general, there is a tradeoff between the effectiveness of the hiding techniques and the level of privileges necessary to accomplish them. While some methods may be extremely difficult for a user to detect, they also require elevated privileges on the system. More accessible methods, on the other hand, are much easier to detect.

AWS Builder Community Hub

Different means of hiding files may be specific to different operating systems, but many are generally applicable. Some of the options for hiding files on a system include:

  • Hidden files and folders
  • Unexpected locations
  • Alternate data streams
  • Function modification
  • Function hooking

In this section, we provide a brief introduction to each of these techniques and an overview of some of their pros and cons.

Hidden files and folders

One of the simplest and most well-known methods of hiding files is using the hidden files attribute. This functionality is built into most operating systems and is intended to ensure that users do not mess with files that they shouldn’t.

On Windows, files can be marked as hidden through the use of attrib.exe or through File Explorer. On Linux, any file whose filename begins with a period is marked as hidden by default.

While this technique is probably the easiest means of hiding files, it’s also the easiest to detect. (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: