I want to share a little file hiding technique with you. I have never found a practical use for this in a penetration test, but it is still pretty neat! This technique can be very useful when you are participating in red-team/blue-team exercises, and you need to make it difficult for the other team to find and analyze programs you’ve left behind.
Using this technique, you can place a backdoor on a target in a location that is very difficult for your adversary to find, delete, and analyze. WMIC will tell the blue team that the file was run from the wrong location so they won’t find the file. Even if they did know where the file was, they wouldn’t be able to easily get to it from the command line or the GUI. It is pretty nasty. I used a simple directory structure in this demo, but the concept can be extended to some crazy highly nested directories that become impossible to get into.
Incident responders should be on the look out for these techniques. Getting rid of these nasty directories is a pretty simple task. Delete the entire parent directory and all its sub-directories. The good news is no matter how crazy the sub-directory structure gets you can usually clean it up with “rmdir /s “. You can’t easily navigate the directories, but you can delete them.
Check it out:
Check out my new SANS Class!! There is very little time left to sign up for the BETA at 50% off. Sign up today