The topic of this article is the Alternate Data Streams (ADS) feature, focusing on what it is and how and where it helps and discussing the sinister side of this NTFS File System feature.
An Overview of Alternate Data Streams
In the NTFS file system used in Microsoft Windows, every file comprises one or more data streams. The primary data stream contains the file’s content, while ADS allows additional data to be associated with a file without changing much of its size or appearance. ADS can be hidden within regular files and are not easily detectable.
As such, ADS provides a way for legitimate applications to store metadata within a file, such as author information or thumbnail images. This can be useful for organising and managing files and indexing.
Potential Exploitation by Attackers
Setting aside its legitimate use cases, ADS could be used by malicious actors to:
- Conceal content within a file, such as hiding malware within an ADS attached to a seemingly harmless file, such as a text document or an image.
- Evade detection or bypass security controls by attaching ADS to a trusted or system file. This technique helps them to infiltrate a system and stay undetected so they can carry out various malicious activities, such as executing unauthorised commands, stealing sensitive data or even establishing a Command and Control (C2) operation.
How to Create Alternate Data Streams
Creating an ADS is easy and can be done within seconds using these steps. Please note that the following steps are only for demonstration purposes and should not be used as part of any illegal activity.
- Launch Windows PowerShell and issue the following cmdlet to create a text file called “examplefile” and save the content next to the value switch.
Set-Content .\examplefile.txt -Value "This is the legitimate content."
- Then you can issue the following cmdlet to add an ADS to the previously created file. We’ll name it “hiddenstream” and add a value switch for it, too.
Set-Content .\examplefile.txt -Stream hiddenstream -Value 'This is the hidden malicious content."
- Next, we will issue the following cmdlet to get all the available streams for the “examplefile”.
Get-Item .\examplefile.txt -Stream *
This will give us the following output where the $DATA value is the primary content of the file, and the “hiddenstream” value is the ADS we added previously.
- Now we’ll issue the following cmdlet to read the ADS content.
Get-Item .\examplefile.txt | Get-Content -Stream hiddenstream
And get the following result:
- We can also use the Streams utility from Sysinternals and issue the following command to get all the available streams for our “examplefile”.
And get the following as a result:
Preventing Alternate Data Streams Abuse
In today’s cybersecurity landscape, more than relying on a single solution is required to protect against threats effectively. To bolster our defences, it is crucial to embrace a multi-layered approach, such as Defense in Depth, which encompasses Continuous Monitoring, Risk Mitigation and the employment of Endpoint Detection and Response (EDR), Managed Endpoint Detection and Response (MDR) and Extended Detection and Response (XDR) solutions to gain the required visibility across our environment.
- Continuous Monitoring is pivotal in this strategy, providing real-time visibility into our networks and endpoints. By actively monitoring and analysing activities, connections, and user behaviour, we adopt a proactive approach to stay one step ahead of potential threats.
- Risk Mitigation involves identifying vulnerabilities, assessing risks, and implementing measures to minimise the impact of potential attacks. Regularly addressing our systems’ weaknesses strengthens our overall cyber security posture and reduces the likelihood of successful breaches.
- An EDR solution will: Provide real-time visibility into endpoints and enable Incident Response capabilities by providing alerts, forensic data, and remediation options. However, EDR solutions generally require security teams to manage and investigate incidents manually.
- An MDR solution will: Employ analysts who continuously monitor and investigate security events on the managed endpoints. MDR solutions combine technology, people, and processes to enhance threat detection, response, and Incident Management. MDR solutions provide better coverage, 24x7x365 monitoring, and access to skilled professionals with expertise in threat hunting and incident response hence alleviating the burden on the internal teams.
- An XDR solution will: Provide a holistic, unified approach to threat detection and response by incorporating data from multiple sources across an organisation’s network, not just endpoints. Those sources could also be networks, cloud services and other security tools. XDR solutions enable us to identify and respond against different attack vectors affecting several systems while providing streamlined Incident Response procedures by automating workflows and orchestration.
The Alternate Data Streams (ADS) feature can store metadata and organise files. Still, attackers can also exploit it to hide malicious content and remain undetected.
Adopting a multi-layered cyber security approach and staying vigilant helps safeguard our infrastructures.