Alternate Data Streams

https://blog.foldersecurityviewer.com/ntfs-alternate-data-streams-the-good-and-the-bad/blog.foldersecurityviewer.com

ADS Good and Bad

Putting data in Alternate data streams and how to execute itOddvar Moe's Blog

Malicious Use of ADS

What is ADS?

Alternate Data Streams (ADS) have been around since the introduction of windows NTFS. They were designed to provide compatibility with the old Hierarchical File System (HFS) from Mac which uses something called resource forks.

Basically, ADS can be used to hide the presence of a secret or malicious file inside the file record of an innocent file. That is, when windows shows you a file, say "readme.txt", the metadata that tells your system where to get "readme.txt" may also contain information for "EvilSpyware.exe". Thus, malicious files may be on your system and you cannot see them using normal means.

Good of ADS

• Windows Resource Manager leverages ADS to identify high risk files that shouldn’t be accessed.

• The Windows operating system uses ADS to encrypt and store files in a secure manner.

• The Windows Attachment Manager uses ADS as a file scanner. This explains why sometimes you receive warnings when you open a file downloaded from the Internet.

• The SQL Database server uses ADS to maintain database integrity.

• Citrix’s virtual memory uses ADS to boost DLL loading speed.

• Anti-virus applications, such as Kaspersky, uses ADS to enhance the scanning of files.

Show ADS Streams

Check to see what streams the files has. We are able to find hidden files with this. If this was unzipped, we can see where it came from. If it has Zone Identifiers, we can find the URL.

Get-Item -path 'FILEPATH' -stream *

Show Zone Identifier

Type 3 Zone Identifiers show the URL the file was downloaded from.

Get-Content -path 'FILEPATH' -stream Zone.identifier

Zone Identifier Commandsbe4sec

Types of Zone Identifiers

Browser	Version	Captures URL in ADS
Internet Explorer	11	No
Edge	42.17134	Yes
Chrome	68	Yes
Firefox	61	No
Tor	7.5.6	No

URL Not Showing Up

If the HostURL is displaying as about:internet, it was most likely downloaded through HTML Smuggling.

HTML Smuggling:

ZoneId=3
HostUrl=about:internet

Traditional Download:

[ZoneTransfer]
ZoneId=3
ReferrerUrl=https://www.sans.org/security-resources/posters/windows-forensic-analysis/170/download
HostUrl=https://www.sans.org/security-resources/posters/windows-forensic-analysis/170/download

Ways of phishing 2 - HTML smugglingwww.senturean.com

HTML Smuggling

Read Contents of Stream

Get-Content -path 'FILEPATH' -stream HIDDENFILE