Alternate Data Streams

Preface

This article will cover a feature of the NTFS file system, which is very little known and poorly documented, which goes by the name of Alternate Data Stream or simply ADS. Focusing on presenting the concepts, uses, forms of identification and ways to refine the technique.

Although this technique of hiding malicious payloads in file systems is considered old, its use is still very relevant today.

What is Alternate Data Stream (ADS)?

Alternate Data Stream (ADS) is a file system resource NTFS, first implemented on Windows NT 3.1, in order to allow compatibility with file systems MAC HFS (Macintosh Hierarchical File System). Briefly, this feature allows files to contain more than one stream of data.

Files in NTFS has at least one visible data stream. In Windows environments, this default data stream is called an attribute MFT:$DATA or unnamed data stream.

Experimentation

To better understand how this data stream works, let's open cmd.exe to run some tests.

First, let's start by creating a text file with the content Mente Binária.

echo "Mente Binária" > mentebin.txt

Before proceeding, save the size of the generated file.

As a second step, let's insert a second data stream into this file.

echo "Hacking Force" > mentebin.txt:hf.txt

Note that when carrying out the listing process the mentbin.txt file remains with 18 bytes, it is not possible to notice any apparent difference.

To verify the existence of an ADS we need to use the flag /r to display the alternate data stream.

Now we can see the hf.txt file inside the mentbin.txt file.

When opening the file with notepad, type or Windows Explore only the main data stream is displayed on screen.

To read the contents of a stream we will use the more or sort binaries.

more < mentebin.txt:hf.txt
sort < mentebin.txt:hf.txt

Usage case

But now the question arises, why is this used?

Well, I believe we managed to answer this question with a practical demonstration. When we download files from the internet using a browser for example, a *$DATA* is created to identify where the file was downloaded from.

Demonstration

Let's download the kitten image from the post of Detectando overlays em executáveis ELF from Fernando Mercês.

file cat.jpg

By listing the files with dir /r it is possible to see the existence of an ADS called *Zone.Identifier.*

By checking its content, we were able to extract the information from where this image was downloaded. Cool huh?

more < cat.png:Zone.Identifier:$DATA
sort < cat.png:Zone.Identifier:$DATA

Hiding binaries in the data stream

With this feature we can hide any type of data using ADS, so how about we start by hiding the calculator's binary?

echo Mente Binaria Calc > mentbin
type mentbin
dir /r
type \windows\system32\calc.exe > mentbin:calc.exe

Using wmic we will run the hidden binary.

The Windows Management Instrumentation Command-line (WMIC) tool is a script and command-line interface that simplifies the use of Windows Management Instrumentation (WMI) and systems managed through WMI. Although on the Microsoft website there is a notice informing that this feature has been deprecated from Windows 10, version 21H1, being replaced by the Windows PowerShell utility for WMI, it is still present in the most current versions of the system .>

wmic process call create C:\Users\Kirito\Desktop\mentbin:calc.exe

Maaaaagic!

Forensic Relevance

From a forensic perspective, NTFS alternate data streams have serious implications for anti-forensics, as attackers can hide incriminating files or malicious payloads through data streams hidden in other files beyond the possibility of using this technique for data exfiltration. Below it will be demonstrated how the identification process is done.

Identification

As mentioned in the preface, this technique of hiding data using ADS is already well known and Windows Defender and several antiviruses are already able to do this mapping. Furthermore, a system admin or forensic analyst could easily find these files using simple command lines.

ls | % {gi $_.FullName -stream *} | ? stream -ne ':$DATA'
gci -Recurse| % {gi $_.FullName -stream *} | ? stream -ne ':$DATA'

Refining the technique

What if I tell you that there is a way to refine this technique, making it difficult to identify. Below I have listed some names that are reserved for use in Windows: environments

CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LP6, LPT7, LPT8 e LPT9

And now you wonder.

Well, what does that have to do with it?

Let's look at what happens when we try to create any type of file using one of these reserved names.

echo Mente Binaria > COM1
echo Mente Binaria > COM1.txt

File is not created. 😟

The Catch

There is a way to bypass reserved name checking. Using the prefixes "\\?\" or "\\.\" it is possible to tell Windows APIs to disable all string parsing by sending the following string directly to the system of files thus making it possible to create files with these names.

Demonstration

echo "Mente Binaria" > \\?\C:\Users\Kirito\Desktop\COM1.TXT
type \\?\C:\Users\Kirito\Desktop\COM1.TXT

Whoopsie, whoopsie, look, we managed to create the file.

Now let's look at what happens when we place a stream of data inside a file with a reserved name.

echo "Mente Binaria" >> \\?\C:\Users\Kirito\Desktop\COM1.TXT:mentbin.txt

Wait a minute, where's the ADS from the COM.TXT file?

That's the catch, Windows can no longer detect the ADS of the file, only those who created the file and know the name can see/execute its content.

more < \\?\C:\Users\Kirito\Desktop\COM1.TXT:mentbin.txt
sort < \\?\C:\Users\Kirito\Desktop\COM1.TXT:mentbin.txt

Look what happens when we try to search for this file using the commands demonstrated earlier.

An interesting point that deserves attention. When trying to delete the file through the graphical interface, a File Access Denied warning is displayed on the screen, even after granting administrative permissions, Windows cannot delete the file. To perform the delete it is necessary to inform the complete path using the prefixes "\\?\" or "\\.\" .>

Deleting the file:

del \\?\C:\Users\Kirito\Desktop\COM1.TXT

Observation

There is a single solution called LADS that can identify the file stream in reserved names, however this tool has not been updated since 2015. Github lads.exe