The Purpose
The purpose of this project is to demonstrate how cyber threat actors use alternate data streams to hide malicious content and how to identify the malicious activity. First, this write-up will define alternate data streams (ADS) and their typical function in a Windows environment. Then, a demonstration will be given on how they are exploited by cyber threat actors. Lastly, detection techniques will be given for identification of the activity and methods to remove it.
Definition: Alternate Data Stream
Alternate data streams (ADSs) exist within Windows' New Technology File System (NTFS). Every file in the file structure is designed with a default unnamed data stream referred to as $DATA and hidden alternate data streams. The default data stream is automatically opened when a file is accessed on the filesystem. However, the ADSs are not readily visible to the user and therefore hidden.
Covert Attributes
- An ADS does not modify the file size of the default data stream (timestamp is modified).
- An ADS can be any size.
- An ADS can be added to any file type and can be used to hide any type of content.
- An ADS can be used to create folders by any user with 'create folder' permissions.
- Adding, modifying, or deleting an ADS does not modify the file hash.
- ADSs can evade anti-virus software because they can circumvent locked files using stream-aware
applications. Data can be added to an ADS of a locked file where AV software cannot find ADSs on
locked files.
- NTFS and MFT does not provide a mechanism to disable ADSs.
Attack Code
Set-Content -path .\Myfile.txt -stream {secret stream} -value {secret content}
Detection Code
Get-Content .\MyFile.txt -Stream {stream name}
Get-Item .\MyFile.txt -Stream *