Alternative NTFS streams or Alternative Data Streams are a feature of NTFS file system. ADS was originally designed to provide compatibility (resource forks) with Macs which used the Hierarchical File System (HFS). ADS is effectively used to store additional information (meta data) in a file or directory. Legitimate uses of ADS include, zone information (Mark of the Web), encryption, AV optimizations, and SQL database integrity. There are also malicious uses for ADS including hiding malicious code in existing files.
notes:
- ADS data will be lost if a file or directory is moved to a non-NTFS file system.
- ADS cannot be disabled.
When signing a file, if the signing application does not also target the alternate data streams, hidden malware may become more trusted.
Given the inability of most Windows applications to enumerate the alternate data streams in a file or directory, these streams make excellent locations to hide malicious data. This vulnerability becomes very severe when compounded by the problem of exclusive locking.
Modern AV and EDR will still scan ADS if present, but ADS may still present a challenge to users or investigators.
Hashing applications may not consider ADS when computing a hash of a file leading to a potential false trust. Some file integrity programs do not take the alternate data stream into account when making their calculations. This means that while they do protect the integrity of the contents of the primary, unnamed stream, they do not protect the integrity of alternate data streams.
An exclusive lock is a way for a process running on Windows to exclude all other processes from reading or writing to a particular file. Each stream in a file has separate lock attributes, but very few Windows applications distinguish between the locks on unnamed and named streams. So, a program unaware of alternate streams and locks only looks at the primary stream will incorrectly believe it cannot access the file.
- A user could find a file with that has been exclusively locked by a system process that they have permission to write to.
- They can then use a stream-aware application like Notepad to add data to a named stream. For extra security, the user will give the stream a very complicated name.
- Alternate data stream scanners will not be able to find the named stream on the locked file. Furthermore, because the primary stream is locked, the file cannot be deleted, moved, or renamed as long as the process is running.
- The user will be able to read and write data from the alternate stream using the complicated name that he or she selected, even while the primary stream remains locked, evading detection of scanners.
Alternate streams also provide a very effective means to conduct a denial-of-service attack on a host. Because most Windows applications cannot show the size of any alternate streams on a file, a malicious user could easily hide an extremely large file in a named stream so that another user could not detect its presence. The severity of the problem can escalate significantly for a stream placed on a file exclusively locked by the system, because many popular scanning applications cannot find a named stream on an exclusively locked file.
The default or unnamed stream is always referenced with "$DATA" but additional streams can be created.
ex.
filename.txt:$DATAfilename.txt:stream
A common use of ADS in Windows is to specify the "Zone.Identifier" stream. This stream stores Microsoft's "Mark of the Web" which if present forces the user to manually unblock the file before it can execute.
The data in the Zone.Identifier stream should looks like this:
[ZoneTransfer]
ZoneId=3
ReferrerUrl=
HostUrl=
More info about Security Zones
Get-Item -Path .\* -stream *or
gi -path .\* -stream *or even better
Get-ChildItem -recurse | ForEach { Get-Item $_.FullName -stream * } | Where stream -ne ':$DATA'
Echo some text into a new text file
echo "super NOT secret text" > ".\super_sneaky_hidden_image.txt"Create a new stream and set its text contents
Set-Content "super_sneaky_hidden_image.txt" -Stream SECRET
Get the original data ("$DATA")
Get-Content "super_sneaky_hidden_image.txt" -Stream "$Data"Get the new stream ("SECRET")
Get-Content "super_sneaky_hidden_image.txt" -Stream SECRET
Although ADS can be used to hide executable code in other file types modern EDR solutions will/should check for ADS and also scan those streams. Still, a benefit to using ADS to hide malicious code is that if the file is hashed it will still produce the expected result since the ADS is not used for hashing.
Put calc.exe into a new stream called "a_calculator"
Set-Content -path ".\super_sneaky_hidden_image.txt" -value $(Get-Content $(Get-Command calc.exe).Path -readcount 0 -encoding byte) -encoding byte -stream a_calculator
Create and call a process from the stream "a_calculator"
wmic process call create $(Resolve-Path .\super_sneaky_hidden_image.txt:a_calculator)