Alternate Data Streams
Execution
Creating a benign text file:
attacker@victim
Hiding an evil.txt
file inside the benign.txt
attacker@victim
Note how the evil.txt file is not visible through the explorer - that is because it is in the alternate data stream now. Opening the benign.txt shows no signs of evil.txt. However, the data from evil.txt can still be accessed as shown below in the commandline - type benign.txt:evil.txt
:
Additionally, we can view the data in the notepad as well by issuing:
attacker@victim
Observations
Note that powershell can also help finding alternate data streams:
References
Last updated