Alternate Data Streams (ADS) is a file attribute found only in the NTFS file system. In this system a file is composed of several attributes, one of which is $Data, aka the data attribute, that is displayed on the practical examples in the results below. It may contain the text in the text file.
Source: fid3.com
Even though you might not be familiar with them, NTFS file streams are used on a daily basis on any modern Windows OS for accessing files. This article describes this NTFS ADS feature, demonstrates how file stream capabilities can be used/abused by adversaries in cyberattacks, and provides the crucial points for protecting the companies on how to defend against the ADS threat.
Regarding the benefits and common usage of ADS system, original idea of ADS was to make Windows NT servers work with Apple Macintosh clients that use the Hierarchical File System (HFS). A HFS in computing is one that arranges files into a tree structure using folders. Windows added alternative data streams to NTFS to contain extra information about files and directories so that it would be compatible with HFS. ADS can be used to hold non-essential data related to a file that is frequently accessed by using the right-click menu option.
Adding fonts or sounds to a file, document summary, storing keywords associated with the file, providing an image thumbnail preview, allowing the use of favicons, which aid in quickly identifying a website, and providing icon types for Mac operating systems are some examples for uses of ADS. Additionally, Internet Explorer saves page icons to web links that are saved as Favorites using a different data stream.
However, it has a poor reputation and is open to the vulnerabilities, because these data streams have been misused and exploited to write concealed data; ranging from information about the origin of a file to whole malware files for backdoors.
Let’s start to create a .txt file using cmd, and add a few things in it: Einkauflist.txt. The stream has no files and size of length is 26.
Now I have added/embedded another .txt file named secret.txt into first one that includes payload with malicious scripts. It can be expand or executed later in accordance with the purpose of the APT Threat actors. It does not seen when the file is opened.
There are several ways to check streams, either “Get-item” on PowerShell or “dir /r” command over cmd; let’s check it again using PowerShell. Length has been changed and stream has an embedded file.
Now I try to embed script file (.ps1), exe file, and video into a photo; then expand and execute them using the suitable command via cmd or Powershell. We have a quite innocent .png file :)
There are 3 different file in the stream: payload1 is .mp4 video file, payload2 malicious script .ps1 file, and payload3 is calculator as an .exe file.
We can run the video from the stream of the photo using one of video player.
…and here is the initiated calculator from embedded .exe file of the photo stream via PowerShell.
According to the file types, the mostly used commands, it can be used proper commands; expand for extracting the content, wmic process call create, rundll32.exe, cscript, bash.exe (sh files), regini.exe (ini files), regedit (reg files), cmd.exe (bat files) to execute from ADS.
Regarding taking actions against the ADS Threat, removing the streams may not always be the best. It is sometimes required in order to operate the software that generated the streams automatically. Therefore, before deleting them, it is needed to set a preliminary research.
Malicious threat, such as ransomware and other malwares, can be hidden into the hierarchical file structure by adversaries using ADS. In spite of we have information about the default stream, it may not be predictable to indicate actual size of the data, and an ADS may contain megabytes of hidden data or executable code. It can be increased the visibility into ADS during strategy development. It can be conducted the related tools that can scan, identify, and detect alternative data streams such as data exfiltration detectors, data discovery tools. It is always better to have some incident prevention before the response :)
Commentaires