Alternate Data Streams

Execution
Creating a benign text file:
[email protected]
echo "this is benign" > benign.txt
Get-ChildItem
Could not load image
Hiding an evil.txt file inside the benign.txt
[email protected]
cmd '/c echo "this is evil" > benign.txt:evil.txt'
Could not load image
Note how the evil.txt file is not visible through the explorer - that is because it is in the alternate data stream now. Opening the benign.txt shows no signs of evil.txt. However, the data from evil.txt can still be accessed as shown below in the commandline - type benign.txt:evil.txt:
Additionally, we can view the data in the notepad as well by issuing:
[email protected]
notepad .\benign.txt:evil.txt
Observations
Note that powershell can also help finding alternate data streams:
Get-Item c:\experiment\evil.txt -Stream *
Get-Content .\benign.txt -Stream evil.txt
References
Hide Artifacts: NTFS File Attributes, Sub-technique T1564.004 - Enterprise | MITRE ATT&CK®
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/providers/filesystem-provider/get-item-for-filesystem?view=powershell-6
docs.microsoft.com
Introduction to Alternate Data Streams
Malwarebytes Labs

Timestomping

Hidden Files

Last modified 4yr ago