nerdexam
GIAC

GCIH · Question #697

What is one of the simplest AND most common ways for an attacker to camouflage files on a UNIX system?

The correct answer is C. Use a dot-space or dot-dot-space as the file or directory name. On Unix systems, filenames beginning with a dot are hidden from standard directory listings, and using names like '. ' (dot-space) or '.. ' (dot-dot-space) camouflages malicious files among normal directory entries.

Vulnerability Exploitation & Privilege Escalation

Question

What is one of the simplest AND most common ways for an attacker to camouflage files on a UNIX system?

Options

  • AUse S-Tools to embed the files into a graphic image
  • BRun "chmod 600" on the files to be hidden
  • CUse a dot-space or dot-dot-space as the file or directory name
  • DInsert the data into an alternate data stream using the colon (:)
  • EInstall a kernel-level rootkit

How the community answered

(44 responses)
  • B
    9% (4)
  • C
    86% (38)
  • D
    2% (1)
  • E
    2% (1)

Why each option

On Unix systems, filenames beginning with a dot are hidden from standard directory listings, and using names like '. ' (dot-space) or '.. ' (dot-dot-space) camouflages malicious files among normal directory entries.

AUse S-Tools to embed the files into a graphic image

S-Tools is a Windows-centric steganography application that requires additional software, making it neither the simplest nor most common method on Unix.

BRun "chmod 600" on the files to be hidden

'chmod 600' restricts file permissions but does not hide the file from directory listings - it remains visible with ls.

CUse a dot-space or dot-dot-space as the file or directory nameCorrect

Unix hides files whose names start with a dot from standard 'ls' output without the -a flag. Using '.' followed by a space or '..' followed by a space creates filenames that visually mimic the current and parent directory references, making them nearly invisible to casual inspection. This requires no special tools and is trivial to execute, making it one of the most common file-hiding techniques on Unix systems.

DInsert the data into an alternate data stream using the colon (:)

Alternate data streams using the colon syntax are a Windows NTFS-specific feature and do not apply to Unix filesystems.

EInstall a kernel-level rootkit

Installing a kernel-level rootkit is a complex, high-risk operation requiring significant attacker capability, not a simple or common first step.

Concept tested: Unix hidden file techniques using dot-prefixed filenames

Source: https://attack.mitre.org/techniques/T1564/001/

Topics

#file hiding#Unix filesystem#anti-forensics#stealth techniques

Community Discussion

No community discussion yet for this question.

Full GCIH Practice