Windows File System Vulnerability - Alternate Data Streams

Alternate Data Streams (ADS) Attack Flow

Overview of ADS

Alternate Data Streams (ADS) are a feature of the NTFS (New Technology File System) used in Windows operating systems. ADS was initially designed to provide compatibility with the HFS (Hierarchical File System) used by MacOS.

Key Concepts

Data Stream:
- Definition: The default stream that contains the actual data of the file.
- Function: Stores the primary content of the file.
Resource Stream:
- Definition: A secondary stream typically used for metadata about the file.
- Function: Stores additional information such as file attributes, but is often not visible to users.

Attack Flow Using ADS

Create a Legitimate File:
- An attacker creates or selects a legitimate file (e.g., a document, image, or executable) on an NTFS-formatted drive.
Add Malicious Code to the Resource Stream:
- The attacker uses the ADS feature to store malicious code or a malicious executable within the resource stream of the legitimate file.
- This is done using the following command:
  echo [malicious_code] > [file_name]:[stream_name]
- For example, to add a malicious payload to example.txt as a hidden stream called malicious:
  echo "malicious_payload" > example.txt:malicious
Evasion of Detection:
- Basic AVs and Static Scanning Tools: Most basic antivirus (AV) software and static scanning tools only check the primary data stream for malicious content.
- Bypassing Detection: The malicious code in the alternate data stream is not detected because these tools do not scan the resource stream.
Execution of Malicious Code:
- Launching: The attacker may exploit a vulnerability or use social engineering techniques to execute the malicious code hidden in the resource stream.
- Example of Execution: If the attacker’s goal is to execute a malicious payload, they might leverage the ADS content using specific techniques or scripts.

Example Commands

Add a Stream:

eecho "malicious_payload" > example.txt:malicious

List All Streams:
```
dir /R
```
Read a Stream:
```
more < example.txt:malicious
```

Summary

Alternate Data Streams (ADS) allow attackers to hide malicious content within the metadata of a legitimate file on NTFS-formatted drives. This technique is used to evade detection by basic antivirus software and static analysis tools. Understanding ADS is crucial for comprehensive security assessments and effective detection of hidden threats.

References

Hacker's Mantra:While many hackers have the knowledge, skills, and tools to attack computer systems, they generally lack the motivation to cause violence or severe economic or social harm. Dorothy Denning

PreviousAccess Token Impersonation NextWindows Credential Dumping

Last updated 10 months ago

Was this helpful?

Alternate Data Streams (ADS) Attack Flow

Overview of ADS

Key Concepts

Data Stream:

Definition: The default stream that contains the actual data of the file.
Function: Stores the primary content of the file.

Resource Stream:

Definition: A secondary stream typically used for metadata about the file.
Function: Stores additional information such as file attributes, but is often not visible to users.

Attack Flow Using ADS

Create a Legitimate File:

An attacker creates or selects a legitimate file (e.g., a document, image, or executable) on an NTFS-formatted drive.

Add Malicious Code to the Resource Stream:

The attacker uses the ADS feature to store malicious code or a malicious executable within the resource stream of the legitimate file.

This is done using the following command:

echo [malicious_code] > [file_name]:[stream_name]

For example, to add a malicious payload to example.txt as a hidden stream called malicious:
```
echo "malicious_payload" > example.txt:malicious
```

Evasion of Detection:

Basic AVs and Static Scanning Tools: Most basic antivirus (AV) software and static scanning tools only check the primary data stream for malicious content.
Bypassing Detection: The malicious code in the alternate data stream is not detected because these tools do not scan the resource stream.

Execution of Malicious Code:

Launching: The attacker may exploit a vulnerability or use social engineering techniques to execute the malicious code hidden in the resource stream.
Example of Execution: If the attacker’s goal is to execute a malicious payload, they might leverage the ADS content using specific techniques or scripts.

Example Commands

Add a Stream:

eecho "malicious_payload" > example.txt:malicious

List All Streams:

dir /R

Read a Stream:

more < example.txt:malicious

Summary

References

Hacker's Mantra:

While many hackers have the knowledge, skills, and tools to attack computer systems, they generally lack the motivation to cause violence or severe economic or social harm. Dorothy Denning