GCIH · Question #697
What is one of the simplest AND most common ways for an attacker to camouflage files on a UNIX system?
The correct answer is C. Use a dot-space or dot-dot-space as the file or directory name. On Unix systems, filenames beginning with a dot are hidden from standard directory listings, and using names like '. ' (dot-space) or '.. ' (dot-dot-space) camouflages malicious files among normal directory entries.
Question
What is one of the simplest AND most common ways for an attacker to camouflage files on a UNIX system?
Options
- AUse S-Tools to embed the files into a graphic image
- BRun "chmod 600" on the files to be hidden
- CUse a dot-space or dot-dot-space as the file or directory name
- DInsert the data into an alternate data stream using the colon (:)
- EInstall a kernel-level rootkit
How the community answered
(44 responses)- B9% (4)
- C86% (38)
- D2% (1)
- E2% (1)
Why each option
On Unix systems, filenames beginning with a dot are hidden from standard directory listings, and using names like '. ' (dot-space) or '.. ' (dot-dot-space) camouflages malicious files among normal directory entries.
S-Tools is a Windows-centric steganography application that requires additional software, making it neither the simplest nor most common method on Unix.
'chmod 600' restricts file permissions but does not hide the file from directory listings - it remains visible with ls.
Unix hides files whose names start with a dot from standard 'ls' output without the -a flag. Using '.' followed by a space or '..' followed by a space creates filenames that visually mimic the current and parent directory references, making them nearly invisible to casual inspection. This requires no special tools and is trivial to execute, making it one of the most common file-hiding techniques on Unix systems.
Alternate data streams using the colon syntax are a Windows NTFS-specific feature and do not apply to Unix filesystems.
Installing a kernel-level rootkit is a complex, high-risk operation requiring significant attacker capability, not a simple or common first step.
Concept tested: Unix hidden file techniques using dot-prefixed filenames
Source: https://attack.mitre.org/techniques/T1564/001/
Topics
Community Discussion
No community discussion yet for this question.