54 Covering Tracks – Hiding Programs and Files

Part of maintaining access is covering your tracks. One easy way to cover your tracks is by hiding files and programs. This feature is available in most operating systems to prevent users from deleting critical files. Attackers also use various techniques to hide malware, backdoors, or data exfiltration repositories for later exfiltration.
Additionally, steganography can be used both to cover tracks and to send infected files.

Learning Objectives

• Create and view hidden files on Windows and Linux
• Utilize steganography to hide a file

Prerequisites

• Create a Windows Server alternatively, use a Windows machine
• Create a Kali Linux VM alternatively, use any Linux machine

Deliverables

• Screenshot of ls -a command showing a hidden file
• Screenshot of file properties window in Windows showing a hidden file
• Screenshot of hide programs and features enabled in Windows
• Screenshot of OpenStego extraction success window

Resources

• Ojash Yadav – “How to Hide Apps on Windows” – https://www.maketecheasier.com/hide-apps-windows/
• “How to Show Hidden Files in Linux” – https://phoenixnap.com/kb/show-hidden-files-linux
• Network Chuck – https://youtu.be/VcqtWsbSbgU?si=mBgDRliNoo-3V0se

Contributors and Testers

• Justin La Zare, Cybersecurity Student, ERAU-Prescott
• Dante Rocca, Cybersecurity Student, ERAU-Prescott
• Alec Parish, Cybersecurity Student, ERAU-Prescott

1. Start the Kali VM. Open the terminal in any directory and create a text file with a message in it. For our example, the file will be called hiddenMessage.txt
2. Use ls to show the file you created in the directory
3. Hidden files in Linux are created by adding a period to the front of the file name. To do this in the terminal, type the following command

   > mv hiddenMessage.txt .hiddenMessage.txt

4. Now use ls again to make sure the file is hidden
5. To view the hidden file, use the following command

   > ls -a

1. Launch a Windows machine (virtual or physical)
2. Create a new text file on the desktop by right-clicking on the wallpaper and selecting -> new -> text document. Name it whatever you would like
3. Right-click the newly made file and select Properties
4. In the attributes section under the general tab, check Hidden
   

   

5. Click Apply and then OK. You should see the file disappear from the Desktop
6. To view the hidden file, open File Explorer. Go to the Desktop in File Explorer
7. Click the View bar at the top. Check the box that says Hidden items
   

   

8. The hidden file should reappear on the desktop and in the File Explorer window

1. Launch a Windows machine (virtual or physical)
2. Create a new folder on the desktop by right-clicking on the wallpaper and selecting New -> Folder. Name it whatever you would like
3. Alt-codes are a way to access unique ASCII characters or symbols without having to click “insert symbol”. This works with your 9-key pad when NumLock is on. For instance, the English Pound (£)  is created by holding down the Alt Key and pressing 0163 on the number pad. (you can Google “alt-codes” and “ASCII”)
4. There are non-printable (e.g., invisible) alt-codes. So we are going to rename our file to <Alt> 255, which means ‘non-breaking space’
   1. Right-click on the file and select rename
   2. Delete all the text, including the file extension
   3. Now type <alt> 255 and press enter
   4. You can see that there appears to be a file with no readable filename
      

      

5. However, we can still see that the file exists on our desktop, so we need to fix that
   1. Right-click on the file and select Properties
      1. Now select Customize
      2. Select “change icon”
      3. Now select one of the blank icons and select ok
      4. Select Apply and OK
         

         

      5. You should see that the new icon made the folder appear to disappear
      6. To get it back, left-click on the wallpaper and drag it to capture the entire screen. This action should illuminate the file
         

         

6. You can even rename the file extension of a file so that the computer doesn’t know what to do
   1. Open file explorer
   2. Click on view -> options
      

      

      1. enable “show hidden files, folders, and drives”
      2. disable “Hide extensions for known file types”
         

         

   3. Create a new Text Document on the desktop and fill it with some text. We called our file ‘super secrets’
      

      

       

      

   4. Right-click on the file and change the extension to jpg
      

      

   5.  Double-click on the file, and Windows will try to open it in Paint and give an error
      

      

   6. The casual user won’t be able to open the file through double-clicking, but you can right-click on the file and open it with the correct app, and it will open just fine
      

      

1. Launch a Windows machine (virtual or physical)
2. Create two files on the desktop:
   1. secret.txt
   2. innocent.txt
      

      

3. Populate these text files with some random text, copy a news article, write your favorite poem, whatever. Just add some text you want to keep secret
4. Please right-click on the secret.txt file and note its properties
   

   

5. Open the Windows command line by typing “CMD” at the Start button
6. Navigate to the desktop where our files are stored. In this example we are at C:\users\Adminstrator\Desktop>
7. Now hide the secret file in the innocent file by typing

   type secret.txt > innocent.txt:secret.txt

8. Now you can right-click the secret.txt file and delete it. Don’t worry, the data is still there, because it is saved inside the innocent.txt file
9. Now you can double-click the innocent.txt file and still see the orginal text in that document
10. You can also right-click the file and look at its properties; they haven’t changed. Yes, the modified properties have changed, but you need some eagle eyes to see that
11. To read the hidden file, you type the following command

    notepad innocent.txt:secret.txt

     

    

12. Hiding this information doesn’t have to be text files; you can use any file extension, and it will work because of NTFS

1. Launch a Windows machine (virtual or physical)
2. Right-click the Windows start icon and then click Run. In the textbox that pops up, type the following

   > gpedit.msc

3. Hit enter, and in the left pane of the Local Group Policy Editor window that opens, click the Administrative Templates tab under the User Configuration tab
4. In the right pane, double-click Control Panel
5. In the right pane, double-click Programs
6. Right-click the Hide “Programs and Features” page. Select edit
   

   

7. Click the Enabled radio button and then click Apply and OK. This will prevent users from accessing the programs and features page. This will prevent users from accessing the programs and features page to view and uninstall programs
   

   

1. Switch to the Kali VM. Start by creating a text file that you want to hide. Then, download any image file to hide the message in
2. Click the Kali logo at the top left and search for OpenStego. Open the program

   NOTE: If you do not see OpenStego, follow the steps to install the program.

   1. Navigate to https://www.openstego.com in the Kali VM
   2. Click “Download” at the top of the page
   3. Download the latest release; the file should end with the .deb extension
   4. Run the following command on the downloaded file to install OpenStego.

      > sudo dpkg -i <filename>.deb

3. Click the three dots next to the Message file input. Locate the text file you made and select it
4. Click the three dots next to the Cover file input. Locate the image you downloaded and select it
5. Click the three dots next to the Output file input to select where to save the stego file. If you don’t specify a path and type a name, it will be sent to the current user’s home directory
   

   

6. Click Hide data
7. Now that we’ve hidden the message, we can try to extract it. First, delete your message file
8. Now go back to OpenStego and then click the Extract data tab
9. Click the three dots near the Input stego file input and select your stego file
10. Click the three dots near the Output folder for message file input and select where you want the message to be sent
    

    

11. Click the Extract data button
12. Go to where you saved the message and check to make sure your message is still the same

1. In Windows Powershell  use the following script to find hidden files

   Get-ChildItem -Force | Where-Object { $_.Attributes -match “Hidden” } | Select-Object FullName, Attributes

2. In Linux use the following script to find hidden files

   find . -maxdepth 1 -type f -name “.*” -or -type d -name “.*”

3. To find alternate data streams in Windows, type the following:

   dir /r

   and you will see the alternate data stream

   

4. To find hidden files inside of possible steganography items, you can use programs like stegdetect https://github.com/BionicSwash/Stegdetect
5. Again, detecting hidden files is more of a forensic matter and is beyond the scope of this book

End of Lab