nerdexam
GIAC

GCIH · Question #704

How would an attacker hide an executable from being viewed by Windows Explorer?

The correct answer is D. Place it into an ADS of a .txt file. Placing an executable into an NTFS Alternate Data Stream (ADS) hides it from Windows Explorer and standard directory listings while keeping it executable.

Malware Analysis & Advanced Persistent Threats

Question

How would an attacker hide an executable from being viewed by Windows Explorer?

Options

  • ARename it to '.. '
  • BChange the extension from .exe to .dll
  • CEncrypt it with RC4
  • DPlace it into an ADS of a .txt file

How the community answered

(23 responses)
  • A
    9% (2)
  • B
    17% (4)
  • C
    4% (1)
  • D
    70% (16)

Why each option

Placing an executable into an NTFS Alternate Data Stream (ADS) hides it from Windows Explorer and standard directory listings while keeping it executable.

ARename it to '.. '

Renaming a file to '.. ' creates an unusual directory entry but does not prevent Windows Explorer from displaying it in the file listing.

BChange the extension from .exe to .dll

Changing the extension from .exe to .dll does not hide the file - Windows Explorer still lists .dll files in directory views.

CEncrypt it with RC4

Encrypting with RC4 obfuscates the file's contents but does not remove the file entry itself from Windows Explorer directory listings.

DPlace it into an ADS of a .txt fileCorrect

An Alternate Data Stream allows data to be attached to a file using the syntax file.txt:hidden.exe, which NTFS supports natively. Windows Explorer and the default dir command do not display ADS entries, making the embedded executable invisible to casual inspection. The hidden executable can still be invoked directly by referencing its full stream path.

Concept tested: NTFS Alternate Data Streams for executable hiding

Source: https://learn.microsoft.com/en-us/sysinternals/downloads/streams

Topics

#ADS#NTFS#file hiding#Windows evasion

Community Discussion

No community discussion yet for this question.

Full GCIH Practice