Pentesting

Hiding Files and Covering Tracks

Ways to hide files in Windows systems

  • Altermate Data Stream (ADS)

    • A feature of the Windows native NTFS to ensure compatibility with Apple's HFS

    • Has the ability for loads for back-end features built into the OS and applications

    • No one in practice actually uses it because it is easy to spot and triggers all sorts of warnings

    • Allows you to hide files behind any other file, rendering it invisible to directory searches

    • Mitigations

      • Every forensics kit checks for ADS

      • Modern versions of Windows show an executable that's run inside a .txt file in the Task Manager as part of the parent

      • Hunt down ADS using applications like LNS and Sfind

      • In Vista, use directory command dir /r which will display all file stream in the directory

      • Copying files to and from a FAT partition blows away any residual file streams in the directory

# Move contents of the badfile file into the text file with a command 
c:\type c:\badfile.exe > c:\readme.txt:badfile.exe 

# When ready to use the file start it with 
start readme.txt:badfile.exe 

# Create a link to the bad file 
c:\mklink innocent.exe readme.txt:badfile.exe

What is Steganography?

  • Hiding data in pictures

  • Two types of semagrams

    • Visual semagram — use an everyday object to convey a message

    • Text semagram — obscures a message in text by using things such as font, size, type or spacing

  • Linguistic steganography

    • a collection of techniques and methods that allows the hiding of any digital information within texts based on some linguistic knowledge.

    • Hides the message in the carrier file in a non-obvious way

  • Technical Steganography

    • Hides a message using scientific methods

  • Tools

    • ImageHide

    • Snow

    • Mp3Stego

    • Blindside

    • S-tools

    • wbStego

    • Stealth

What are the three main logs?

  • Application logs — entries specifically related to the applications, and only entries programmed by the developers get in

  • System log — Registers system events, such as drivers failing and startup/shutdown times

  • Security log — Registers login attempts, access and activities regarding resources

How to hide your tracks in log files

  • Be selective in your event log editing

  • Go in first and edit what is actually being audited

  • Turn off auditing only on the things you'll be hitting, things like:

    • failed resource access

    • failed logins

  • Visit the log and get rid of those items that show your presence and activities

  • Get rid of the security event log that shows where you edited the audit log

  • Another option is to simply corrupt the log file once you are done

Log file location

  • Default log file location is %systemroot%\System32\Config

  • This can be changed and placed the log files somewhere else by editing the registry key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog)

Tools

  • In Control Panel | Administrative Tools | Local Security Policy — you can set up and change the audit policy for the system

  • Top level settings are found under Local Policies | Audit Policy

  • Other settings are found in Advanced Audit Policy Configuration

  • WinZapper

    • Evidence Eliminator

    • Auditpol - let's you disable event logs on other machines

c:\auditpol \\targetIPaddress /disable
PreviousDefense EvasionNextNetwork Evasion

Last updated