Operational Security (OPSEC) Basic Guide for Windows Users

I. Introduction

This is one in a series of my articles on the configuration operations and how to use Windows to keep your computer and data secure in the digital space. In this article, we will discuss the topic of hidden files on Windows: why and how to reveal these files. Following that is an analysis of how hackers exploit file extensions and the preview pane, along with defensive strategies.

This series of articles will be beneficial for:

Ordinary users who have a new laptop or have just newly installed Windows. Or just want to be assured that those device is a safe place to store personal files like photos and files

Those who want to start with basic OPSEC guidelines.

Developers who seek additional safety measures and enhanced security awareness when using their computers.

Those who wish to maintain privacy for their personal information and data.

OPSEC meaning:

This is the process of managing security and risk to prevent information from falling into the hands of unauthorized or malicious users.

As for this series, it will be a list of tasks to perform in order to configure and use Windows along with accompanying software in everyday activities. The aim is to ensure that your computer is protected from malware and to minimize the uncontrolled sharing of information.

In addition, minimizing the sharing of information with third parties is also very important, as even large technology companies have experienced a data breach.

II. Things lurking in the abyss. Should or shouldn't be seen

1. Malicious Hidden File. Way Malware is Spread

Adversaries often use techniques to hide files and directories to evade detection. You can learn more information through the link : MITRE 

Not only that, the fact that users cannot see hidden files is also used to facilitate the spread of malware. Have you ever heard of the DLL-Hijacking attack method? This type of attack exploits the search order and loading sequence of DLLs in Windows, causing your legitimate programs to load malicious code into memory. More Info

Currently, there are many APT groups and cybercrime gangs using this technique. Some examples include: APT41 Group, Aquatic Panda, APT29 using Brute Ratel C4, …

A. Real-life example of malware infection by exploiting hidden files

The two images below illustrate two different Windows Explorer configurations. One does not show hidden files, while the other has been adjusted to display these files. Same Folder.

Explorer: Hidden File Abuse

Explorer: Show Hidden File Enabled

Suppose when using Explorer to navigate to the folder containing these files, you only see a file named "Weekly Payroll Report.pdf" When you double-click on it, you become infected with malware, and the infection flow will be as follows:

1. The file "Weekly Payroll Report.pdf" (this is a shortcut file, and I won't explain it in detail as it is not relevant to the topic of the article) will activate the hidden executable file "PDF Reader"
2. "PDF Reader" will load the DLL "AcroRd32" using the DLL hijacking technique.
3. The DLL "AcroRd32" will execute malicious code, and your computer is now infected with malware.
4. This infection scenario using hidden files often occurs when you receive compressed file attachments (Zip, Rar, 7z, etc.). It can also happen when you use Explorer to navigate to external hard drives, USB or shared network drives.

B. How to show hidden files in Windows Explorer

1. Open Windows Explorer
2. Click on “File” then click “Options”
3. At window “Folder Options”, choose radio button “Show Hidden files, folders or drives”
4. Click “OK” to apply.

The configuration steps I will carry out are for Windows 10. If you're using a different version, you can search for similar configuration steps using relevant keywords.

C. Things that are not visible are bad. Why does Windows have hidden files?

• To ensure that users do not modify important files, which could affect the system.

• It helps keep the workspace interface tidy and easier to navigate. Imagine your working folder has many hidden files; if all of them are displayed, it can easily lead to confusion and make operations more difficult.

2. Simply showing hidden files is not enough. Hidden Operating system files

A. Real-life example

In some cases, even when you have set Explorer to show hidden files, there will still be some files that remain hidden. For example, the current directory below.

Explorer: Not Show operating system files

Only the file "Weekly Payroll Report.pdf " is visible. As we noted in the previous example, the files "PDF Reader" and the DLL "AcroRd32" are still lurking hidden in this folder. Of course, when you open the file with name "Weekly Payroll Report.pdf" you will also become infected with malware.

The reason this occurs is that the two files "PDF Reader" and "AcroRd32" have been assigned a "System" attribute. Therefore, when Explorer navigates to these files, even though you have configured it to show hidden files, it will prioritize the System attribute and keep these files hidden.

B. You can force Explorer not to hide these files by configuring it as follows

1. Open Windows Explorer
2. Click on “File” then click “Options”
3. At window “Folder Options”, choose radio button “Show Hidden files, folders or drives” and uncheck “Hide protected operating system files”
4. Click “OK” to apply.

However, this should only be recommended for experienced users to avoid accidentally deleting or modifying files that could damage the system.

3. Phishing Attack: spoof file extensions

A. Real-life Example

Most of us are aware that we should not open executable files received via email. However, in everyday situations, how do you determine whether a file is a document or an executable file?

There is nothing to be ashamed of; our instinct is to be more impressed by images than by text, so the identification of file types often relies on the icon.

Therefore, phishing techniques that involve spoofing icons and file extensions can be an extremely effective attack vector. This technique is commonly referred to as Double File Extension.

In default mode, Explorer does not display file extensions. Users rely on the icons of these files to determine their type. The two images below illustrate a malicious file specially modified to have the icon of an MS Word Document; one image does not show the file extension, while the other is after Explorer has been reconfigured.

Masquerading Double File Extension example

Explorer show file extension

As you can see above, the malicious file is fully named "Weekly Payroll Report.doc.exe" but in the default case where file extensions are not displayed, its name appears as "Weekly Payroll Report.doc" When you navigate to the folder containing this file, it is easy to mistakenly perceive it as a regular document. With an innocent double-click on the "document," you could inadvertently infect your device with a virus.

B. Windows show File extensions - How To

You can avoid this confusion by configuring Explorer as follows:

1. Open Windows Explorer
2. Click on “File” then click “Options”
3. At window “Folder Options”, uncheck  “Hide extension for known file types”
4. Click “OK” to apply.

C. Why does Windows hide file extensions by default?

The main goal is to prevent headaches when users accidentally change the extension while renaming a file. This makes the file unable to be opened by the software specifically designed for it.

4. When the preview pane is exploited, you can become infected even without double-clicking

The Preview Pane is a feature in Explorer that allows you to quickly view the contents of a file. This is extremely beneficial when you need to work with multiple documents and need to quickly identify which file contains the information you need.

Not only does Explorer have this functionality, but when using a mail client, you may also have used the Outlook preview pane.

A. How does the preview pane work?

When you select a file, Explorer will determine the file type and request the operating system to run a corresponding processing application in the background (for example, for a .doc file, the WinWord process will be executed). 

The result is that the content of the file will be displayed in Explorer. Only certain file types support preview; imagine clicking on an .exe file and having it run immediately.

Preview Pane with docx file example

Therefore, when the preview pane has vulnerabilities, or when software interacting with documents set to run in the background is exploited, you can become infected without needing to double-click to open a file. The end result is that personal data is likely to be compromised: ransomware attack, data breach, and so on.

B. Several vulnerabilities with the Preview Pane have been identified in the past

CVE-2022-30190: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190, CVE-2020-1483: https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2020-1483, CVE-2024-21413: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21413

C. How to Turn Off Preview Pane

You can temporarily request Explorer not to use the preview function by unchecking the two checkboxes in the View tab of Explorer, as shown below.

How to turn off Preview Pane

Or you can completely disable the preview pane using the commands below:

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPreviewPane /t REG_DWORD /d 1 /f

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoReadingPane /t REG_DWORD /d 1 /f

You need to run CMD as Administrator (Right Click => Run As Administrator). Then restart Explorer.exe for the changes to take effect.

If your work heavily relies on this function, you should still keep using it, but pay more attention to regularly updating the system.

III. Conclusion

OPSEC for regular computer users involves configuring settings and usage rules to: keep your computer safe from malware, minimize both controlled and uncontrolled personal information leaks, maintain performance, and ensure comfort and ease of use.

Hidden File, System Protected File, Hidden File Extension, and Preview Pane are utility features designed to enhance the safety and efficiency of document handling. However, when these features are exploited, they can become a veil that facilitates the spread of malware on your computer.

Of course, I hope this article will help answer the issue you're looking to solve: how can you protect your home computer.