Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows...
Transcript of Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows...
![Page 1: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/1.jpg)
May 8, 2020
@ochsenmeier
Marc Ochsenmeier
www.winitor.com
Windows Alternate Data Streams (ADS)
![Page 2: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/2.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
2
Introduction
A file is more than one file
A file is a container
◦ one visible file
◦ none or several invisible files
◦ …with any kind of content and size
A file is basically the first (default) file of a file
default data stream
alternate data stream(s)
visible
invisible
...
![Page 3: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/3.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
3
Importance
ADS is inherent to NTFS infrastructure
◦ cannot be disabled
◦ is almost unknown
◦ is stealth
ADS can contain data
◦ must be handled by backup
ADS can contain code
◦ must be handled by antivirus
![Page 4: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/4.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
4
History
ADS exist since the inception of Windows NT 3.1
◦ sharing file with Macintosh clients
◦ data (content) and resource (management) forks
Windows Server provides facility through the FSFM service
![Page 5: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/5.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
5
NTFS Basics - MFT
Information about files and directories on a NTFS partition is located in the Master File Table (MFT)
◦ a record is a collection of attributes that document a file
![Page 6: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/6.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
6
NTFS Basics - Streams
A file is a collection of attributes
◦ all are stored as separated streams
◦ some are mandatory (name, time stamps…)
◦ some are optional (security descriptor, EFS)
◦ some may appear more than once (LFN, 8.3, hardlink, data…)
standard info LFN 8.3 security data…
data data EFS
![Page 7: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/7.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
7
NTFS Basics – File Content
The content of a file is one stream among others
NTFS doesn't manage files, it manages streams
$STANDARD_INFORMATION General (read-only, archive, time stamps, file creation, last modified, hardlink count….) attributes stream.
$FILE_NAME A file can have one or more filename (long file name, "8.3 name“, hardlink name) streams.
$SECURITY_DESCRIPTOR Discretionary Access Control List (DACL), Security Access Control List and Integrity Level (SACL) stream.
$DATA A file has one default (unnamed, primary) data stream.
A directory has no default (unnamed, primary) data stream.
$EFS Encrypted File System version, list of users authorized to access the file, etc… stream.
![Page 8: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/8.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
8
NTFS - Properties
All streams of a file are ruled by common properties
General
Security
Encryption
Integrity Level
Quota
Audit
![Page 9: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/9.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
9
Support
ADS is only supported on NTFS
◦ ADS are deleted once copied to FAT
![Page 10: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/10.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
10
Support
ADS is only supported on NTFS
◦ ADS are not supported (and deleted) once copied to FAT
![Page 11: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/11.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
11
Usage > Zone Model
A technique (aka. “Mark of the Web” - MotW) to document the origin of some binary files
◦ Execution triggers digital signature check and UAC consent
![Page 12: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/12.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
12
Usage > Internet Explorer
The trust level of some downloaded files stored as ADS named „Zone.Identifier“
![Page 13: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/13.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
13
Usage > Office
Office is “Zone.Identifier” aware and opens downloaded documents in a “Protected View” mode to implement security boundary.
![Page 14: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/14.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
14
Usage > Internet Explorer
Icons for Favorites are saved in the „favicon“ ADS of URL files
![Page 15: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/15.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
15
Usage > Internet Browsers
Recent internet browsers now exibit more metadata into ADS
![Page 16: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/16.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
16
Usage > Windows Change Journal
The Windows Change Journal is an ADS
![Page 17: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/17.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
17
Usage > Storage Service
„Win32App_1“ ADS (place holder?) in many directories
![Page 18: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/18.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
18
Usage > Symantec Endpoint Protection
Symantec uses “Zone.Identifier” but not as MOTW..
![Page 19: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/19.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
19
Visibility
But size and count of ADS still ignored in the summary!
![Page 20: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/20.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
20
Impact
Rendering a Compiled HTML Help (CHM) file
![Page 21: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/21.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
21
Impact
Rendering a Compiled HTML Help (CHM) file
![Page 22: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/22.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
22
Detection
Antivirus must handle ADS
![Page 23: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/23.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
23
Detection
Windows Defender SmartScreen is ADS aware
![Page 24: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/24.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
24
Detection
When configured, the system audits access to ADS
![Page 25: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/25.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
25
Detection
streams.exe is your friend
![Page 26: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/26.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
26
Demo
Following scenarios
◦ Put ADS into an file
◦ Put ADS into a directory
◦ Execute a file located in ADS
◦ Access ADS
◦ Remove ADS
![Page 27: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/27.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
27
Visibility and access
Some specific streams are visible and accessible
![Page 28: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/28.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
28
API
Documented
◦ CreateFile, ReadFile and WriteFile (kernel32.dll)
◦ BackupRead, BackupSeek and BackupWrite (kernel32.dll)
◦ FindFirstStream, FindNextStream (kernel32.dll)
◦ IZoneIdentifier COM interface (urlmon.dll)
◦ Powershell (get-item, get-content, remove-item…)
Undocumented
◦ NtQueryInformationFile (ntoskrnl.exe)
![Page 29: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/29.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
29
Issues Detection and removal
Backup & restore
Forensic
File hash und checksum
DOS Attack
Code Execution
Usage as persistency technique
Misuse of valid ADS
Unsupported outside NTFS
![Page 30: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/30.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
30
Summary
ADS exist
ADS cannot be disabled
ADS are used
ADS can be misused
ADS must be watched
![Page 31: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/31.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
31
References Putting data in Alternate data streams and how to execute it
◦ https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
Using Alternate Data Streams to Persist on a Compromised Machine
◦ https://enigma0x3.net/2015/03/05/using-alternate-data-streams-to-persist-on-a-compromised-machine/
The Ultimate guide to Data Hiding using alternative data stream
◦ http://www.darknessgate.com/security-tutorials/date-hiding/ntfs-alternate-data-streams/
AlternateStreamView - View/Copy/Delete NTFS Alternate Data Streams
◦ https://www.nirsoft.net/utils/alternate_data_streams.htmlStream Detector v1.2https://www.novirusthanks.org/products/stream-detector/
Putting data in Alternate data streams and how to execute it – part 2
◦ https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
Execute from Alternate Streams
◦ https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
![Page 32: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/32.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
32
References Introduction to ADS – Alternate Data Streams
◦ https://hshrzd.wordpress.com/2016/03/19/introduction-to-ads-alternate-data-streams/
The Abuse of Alternate Data Stream Hasn’t Disappeared
◦ https://www.deepinstinct.com/2018/06/12/the-abuse-of-alternate-data-stream-hasnt-disappeared/
How to prevent bypassing AppLocker using Alternate Data Streams
◦ https://hitco.at/blog/howto-prevent-bypassing-applocker-using-alternate-data-streams/
![Page 33: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/33.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
33
Tools
Windows built-in tool “dir /r”
Streams - www.sysinternals.com
ADSSpy – www.bleepingcomputer.com
![Page 34: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/34.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
34
Backslide > demo > execute file located in ADS
start
mklink
wmic
csript
wscript
mshta
powershell
rundll32
LoadLibrary
WinExec
![Page 35: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/35.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
35
Backslide > demo
Listening music located in an ADS
![Page 36: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/36.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
36
Backslide > demo
start file:ads does not (fully) work anymore…
![Page 37: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/37.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
37
Backslide > demo
Powershell > flexible programmatic access to handle ADS
![Page 38: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/38.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
38
Backslide > demo
Powershell > flexible programmatic access to handle ADS
![Page 39: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/39.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
39
Backslide > demo
WMI command-line utility
![Page 40: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/40.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
40
Backslide > demo
Console based Script Host
![Page 41: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/41.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
41
Backslide > demo
Windows based Script Host
![Page 42: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/42.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
42
Backslide > demo
Powershell
![Page 43: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/43.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
43
Backslide > demo
Symbolic link
![Page 44: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/44.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
44
Backslide > demo
rundll32 invokes an exported function of a DLL located in an ADS
![Page 45: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/45.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
45
Backslide > demo
Load an executable file located in ADS using LoadLibrary
![Page 46: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/46.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
46
Backslide > demo
start mimikatz located in an ADS using WinExec
![Page 47: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/47.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
47
Backslide > demo
Adding an ADS to a file does not change the hash of the file
![Page 48: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/48.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
48
Backslide > demo
Retrieve the hash of an ADS hidden in a file
![Page 49: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/49.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
49
Backslide > demo
How to prepare a DOS with an ADS
![Page 50: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/50.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
50
Backslide > demo
Malware uses Alternate Data Streams > MITRE - T1096
“The Tale of DNS Messenger“https://blog.talosintelligence.com/2017/03/dnsmessenger.html
![Page 51: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/51.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
51
Backslide > demo
Windows executable hidden on a Linux system via ADS
![Page 52: Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)](https://reader033.fdocuments.in/reader033/viewer/2022043011/5fa5550733f01d133f4e2afc/html5/thumbnails/52.jpg)
@ochsenmeier | Marc Ochsenmeier | www.winitor.com May 08, 2020
Windows Alternate Data Streams (ADS)How data and code can be hidden in files and directories
52
Backslide
When not explicitly accessed, an ADS is not loaded in memory
Opening (Double-click/Enter) a file does not trigger its ADS