A relatively unknown but particularly stealthy technique to hide files on Linux hosts. On unhardened boxes, unprivileged users can conceal files from even the root user. Disk content remains in memory, hindering disk acquisition during forensic investigation. (1/7) 👇
Let's start with the most simple example. Select a mount namespace that is not used by systemd/init. Migrate the current shell into that process's mount namespace and mount a tmpfs file system. Anything that writes the mounted path is concealed from users on the host. (2/7)
As a bonus, commands in this shell will not be written to the history file as we mounted over the user's home directory. No need to set HISTFILE=/dev/null. Once the shell exits, artifacts evaporate. Nothing touches the disk. Now how to do this as an unprivileged user? (3/7)
Create a new mount and user namespace, mapping the unprivileged uid to uid 0. Here the root user logs in [4] and can't see the file created by the unprivileged user in the /root directory (4/7)
Malware can use the unshare() or clone() syscalls to create the new mount and user namespaces. The uid/grp mapping is done by writing to procfs followed by mount(). If the process enters a spin lock, it can be used to keep a persistent hold of the 'stash space' (5/7)
This method can be utilized to perform process masquerading.. Here an implant appears to be running from /usr/sbin/auditd but it's actually 'fileless'. No '(deleted)', no ':memfd', no '/dev/shm', no ptrace, no LD_PRELOAD. Just stealth. (6/7)
Full writeup including mitigations, threat hunting and other detection ideas.👇 (7/7) https://haxrob.net/hiding-in-p...