Covering Tracks

Disabling Auditing

C:\> auditpol /disable

C:\> elsave -s \\joel -l "Security" -C

Hiding Files

attrib Hiding files gets no simpler than copying files to a directory and using the old DOS attrib tool to hide it, as show with the following syntax:

attrib +h [directory]

This hides files and directories from command-line tools, but not if the Show All Files option is selected in Windows Explorer.

Alternate Data Streams (ADS) If the target system runs the Windows File System (NTFS), an alternate file-hiding technique is available to intruders. NTFS offers support for multiple streams of information within a file.

To stream files, an attacker will need the POSIX utility cp from Resource Kit. The syntax is simple, using a colon in the destination file to specify the stream:

C:\> cp oso001.009:

Here’s an example:

C:\> cp nc.exe oso001.009:nc.exe

This hides nc.exe in the nc.exe stream of oso001.009. Here’s how to unstream netcat:

C:\> cp oso001.009:nc.exe nc.exe

The modification date on oso001.009 changes but not its size. (Some versions of cp may not alter the file date.) Therefore, hidden streamed files are very hard to detect. Deleting a streamed file involves copying the “front” file to a FAT partition and then copying it back to NTFS.

Streamed files can still be executed while hiding behind their front. Due to cmd.exe limitations, streamed files cannot be executed directly (that is, oso001.009:nc.exe). Instead, try using the start command to execute the file:

C:\> start oso001.009:nc.exe

Linux:

unset HISTFILE; unset SAVEHIST

ln -s /dev/null ~/.bash_history


biOos