GCIH · Question #704
How would an attacker hide an executable from being viewed by Windows Explorer?
The correct answer is D. Place it into an ADS of a .txt file. Placing an executable into an NTFS Alternate Data Stream (ADS) hides it from Windows Explorer and standard directory listings while keeping it executable.
Question
How would an attacker hide an executable from being viewed by Windows Explorer?
Options
- ARename it to '.. '
- BChange the extension from .exe to .dll
- CEncrypt it with RC4
- DPlace it into an ADS of a .txt file
How the community answered
(23 responses)- A9% (2)
- B17% (4)
- C4% (1)
- D70% (16)
Why each option
Placing an executable into an NTFS Alternate Data Stream (ADS) hides it from Windows Explorer and standard directory listings while keeping it executable.
Renaming a file to '.. ' creates an unusual directory entry but does not prevent Windows Explorer from displaying it in the file listing.
Changing the extension from .exe to .dll does not hide the file - Windows Explorer still lists .dll files in directory views.
Encrypting with RC4 obfuscates the file's contents but does not remove the file entry itself from Windows Explorer directory listings.
An Alternate Data Stream allows data to be attached to a file using the syntax file.txt:hidden.exe, which NTFS supports natively. Windows Explorer and the default dir command do not display ADS entries, making the embedded executable invisible to casual inspection. The hidden executable can still be invoked directly by referencing its full stream path.
Concept tested: NTFS Alternate Data Streams for executable hiding
Source: https://learn.microsoft.com/en-us/sysinternals/downloads/streams
Topics
Community Discussion
No community discussion yet for this question.