🕵 1dnu11

Alternate Data Streams (ADS)

NTFS (New Technology File System) is the default file system for Windows. Alternate Data Streams (ADS) is an NTFS file attribute designed to provide compatibility with MacOS HFS (Hierarchical File System).

Whenever we work with a file on an NTFS formatted drive, there will be two different forks/streams:

ADS can then be abused to hide malicious code or executables in legitimate files, thus avoiding detection. This is done by storing malicious code in the file attribute resource stream (metadata) of the file.

This evades basic signature based AVs and static scanning tools. (Meaning, this IS NOT a very advanced evading tactic.)

But How?

notepad test.txt:secret.txt

First, we create a new text file with notepad. Then, we add a ‘:’. This will allows us to access the resource stream of the file. Everything that we put on this notepad pop-up from now on, will be secret. We can confirm this by opening the created test.txt file and confirm nothing is there.

Thats great ’e all, but how can this be further exploited? We will use winPEASx64.exe (a privilege escalation tool) as an example. Even though it’s not a malicious executable, is for sure something an attacker would like to keep hidden.

type winPEASx64.exe > windowslog.txt:winpeas.exe

You can (and should) edit the windowslog.txt file and make it look more legit (you can add some random log text). We can (and should) also remove the previous used winPEAS executable, since we already have it hidden in our txt file.

Now we just create a symlink to further hide our bad intentions, and then finally run our malicious payload!

cd \Windows\System32
mklink wupdate.exe C:\Temp\windowslog.txt
wupdate.exe

Conclusions

As we can see, this technique, even though it requires elevated privileges in order to create the necessary files and the symlink, it’s a great way to run a payload for further collection, control, or whatever hits your needs!

202403231203