🗃️Windows File System Vulnerability - Alternate Data Streams

Alternate Data Streams (ADS) Attack Flow

Overview of ADS

Alternate Data Streams (ADS) are a feature of the NTFS (New Technology File System) used in Windows operating systems. ADS was initially designed to provide compatibility with the HFS (Hierarchical File System) used by MacOS.

Key Concepts

1. Data Stream:

   • Definition: The default stream that contains the actual data of the file.

   • Function: Stores the primary content of the file.

2. Resource Stream:

   • Definition: A secondary stream typically used for metadata about the file.

   • Function: Stores additional information such as file attributes, but is often not visible to users.

Attack Flow Using ADS

1. Create a Legitimate File:

   • An attacker creates or selects a legitimate file (e.g., a document, image, or executable) on an NTFS-formatted drive.

2. Add Malicious Code to the Resource Stream:

   • The attacker uses the ADS feature to store malicious code or a malicious executable within the resource stream of the legitimate file.

   • This is done using the following command:

     Copy

     echo [malicious_code] > [file_name]:[stream_name]

   • For example, to add a malicious payload to example.txt as a hidden stream called malicious:

     Copy

     echo "malicious_payload" > example.txt:malicious

3. Evasion of Detection:

   • Basic AVs and Static Scanning Tools: Most basic antivirus (AV) software and static scanning tools only check the primary data stream for malicious content.

   • Bypassing Detection: The malicious code in the alternate data stream is not detected because these tools do not scan the resource stream.

4. Execution of Malicious Code:

   • Launching: The attacker may exploit a vulnerability or use social engineering techniques to execute the malicious code hidden in the resource stream.

   • Example of Execution: If the attacker’s goal is to execute a malicious payload, they might leverage the ADS content using specific techniques or scripts.

Example Commands

• Add a Stream:

  Copy

  eecho "malicious_payload" > example.txt:malicious

• List All Streams:

  Copy

  dir /R

• Read a Stream:

  Copy

  more < example.txt:malicious

Summary

Alternate Data Streams (ADS) allow attackers to hide malicious content within the metadata of a legitimate file on NTFS-formatted drives. This technique is used to evade detection by basic antivirus software and static analysis tools. Understanding ADS is crucial for comprehensive security assessments and effective detection of hidden threats.

References

• NTFS Alternate Data Stream (ADS)

• Windows ::DATA Alternate Data Stream

• How NTFS Alternate Data Streams Introduce Security Vulnerability

• NTFS Filesystem: Alternate Data Stream (ADS)

Hacker's Mantra:While many hackers have the knowledge, skills, and tools to attack computer systems, they generally lack the motivation to cause violence or severe economic or social harm. Dorothy Denning