# Windows File System Vulnerability - Alternate Data Streams ## Alternate Data Streams (ADS) Attack Flow ### Overview of ADS **Alternate Data Streams (ADS)** are a feature of the **NTFS (New Technology File System)** used in Windows operating systems. ADS was initially designed to provide compatibility with the **HFS (Hierarchical File System)** used by MacOS. #### Key Concepts 1. **Data Stream**: * **Definition**: The default stream that contains the actual data of the file. * **Function**: Stores the primary content of the file. 2. **Resource Stream**: * **Definition**: A secondary stream typically used for metadata about the file. * **Function**: Stores additional information such as file attributes, but is often not visible to users. ### Attack Flow Using ADS 1. **Create a Legitimate File**: * An attacker creates or selects a legitimate file (e.g., a document, image, or executable) on an NTFS-formatted drive. 2. **Add Malicious Code to the Resource Stream**: * The attacker uses the ADS feature to store malicious code or a malicious executable within the resource stream of the legitimate file. * This is done using the following command: ```bash echo [malicious_code] > [file_name]:[stream_name] ``` * For example, to add a malicious payload to `example.txt` as a hidden stream called `malicious`: ```bash echo "malicious_payload" > example.txt:malicious ``` 3. **Evasion of Detection**: * **Basic AVs and Static Scanning Tools**: Most basic antivirus (AV) software and static scanning tools only check the primary data stream for malicious content. * **Bypassing Detection**: The malicious code in the alternate data stream is not detected because these tools do not scan the resource stream. 4. **Execution of Malicious Code**: * **Launching**: The attacker may exploit a vulnerability or use social engineering techniques to execute the malicious code hidden in the resource stream. * **Example of Execution**: If the attacker’s goal is to execute a malicious payload, they might leverage the ADS content using specific techniques or scripts. #### Example Commands * **Add a Stream**: ```bash eecho "malicious_payload" > example.txt:malicious ``` * **List All Streams**: ```bash dir /R ``` * **Read a Stream**: ```bash more < example.txt:malicious ``` *** ## Summary **Alternate Data Streams (ADS)** allow attackers to hide malicious content within the metadata of a legitimate file on NTFS-formatted drives. This technique is used to evade detection by basic antivirus software and static analysis tools. Understanding ADS is crucial for comprehensive security assessments and effective detection of hidden threats. #### References * [NTFS Alternate Data Stream (ADS)](https://www.2brightsparks.com/resources/articles/ntfs-alternate-data-stream-ads.html) * [Windows ::DATA Alternate Data Stream](https://owasp.org/www-community/attacks/Windows_alternate_data_stream) * [How NTFS Alternate Data Streams Introduce Security Vulnerability](https://blog.netwrix.com/2022/12/16/alternate_data_stream/) * [NTFS Filesystem: Alternate Data Stream (ADS)](https://infosecwriteups.com/ntfs-filesystem-alternate-data-stream-ads-c0e4a2402563) *** *** *** **`Hacker's Mantra:`**`While many hackers have the knowledge, skills, and tools to attack computer systems, they generally lack the motivation to cause violence or severe economic or social harm. Dorothy Denning`