Alternate Data Streams - Red Teaming Experiments

Red Teaming Experiments

linkedin twitter patreon github

Search…

What is ired.team?

Pinned

Pentesting Cheatsheets

Active Directory & Kerberos Abuse

offensive security

Red Team Infrastructure

Code & Process Injection

Defense Evasion

AV Bypass with Metasploit Templates and Custom Binaries

Evading Windows Defender with 1 Byte Change

Bypassing Windows Defender: One TCP Socket Away From Meterpreter and Beacon Sessions

Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs

Windows API Hashing in Malware

Detecting Hooked Syscalls

Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs

Retrieving ntdll Syscall Stubs from Disk at Run-time

Full DLL Unhooking with C++

Enumerating RWX Protected Memory Regions for Code Injection

Disabling Windows Event Logs by Suspending EventLog Service Threads

Obfuscated Powershell Invocations

Masquerading Processes in Userland via _PEB

Commandline Obfusaction

File Smuggling with HTML and JavaScript

Alternate Data Streams

Encode/Decode Data with Certutil

Downloading Files with Certutil

Packed Binaries

Unloading Sysmon Driver

Bypassing IDS Signatures with Simple Reverse Shells

Preventing 3rd Party DLLs from Injecting into your Malware

ProcessDynamicCodePolicy: Arbitrary Code Guard (ACG)

Parent Process ID (PPID) Spoofing

Executing C# Assemblies from Jscript and wscript with DotNetToJscript

Enumeration and Discovery

Privilege Escalation

Credential Access & Dumping

Lateral Movement

reversing, forensics & misc

Dump Virtual Box Memory

AES Encryption Using Crypto++ .lib in Visual Studio C++

Reversing Password Checking Routine

Powered By GitBook

Alternate Data Streams

Execution
Creating a benign text file:
[email protected]
echo "this is benign" > benign.txt
Get-ChildItem
Could not load image
Hiding an evil.txt file inside the benign.txt
[email protected]
cmd '/c echo "this is evil" > benign.txt:evil.txt'
Could not load image
Note how the evil.txt file is not visible through the explorer - that is because it is in the alternate data stream now. Opening the benign.txt shows no signs of evil.txt. However, the data from evil.txt can still be accessed as shown below in the commandline - type benign.txt:evil.txt:
Additionally, we can view the data in the notepad as well by issuing:
[email protected]
notepad .\benign.txt:evil.txt
Observations
Note that powershell can also help finding alternate data streams:
Get-Item c:\experiment\evil.txt -Stream *
Get-Content .\benign.txt -Stream evil.txt
References
Hide Artifacts: NTFS File Attributes, Sub-technique T1564.004 - Enterprise | MITRE ATT&CK®
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/providers/filesystem-provider/get-item-for-filesystem?view=powershell-6
docs.microsoft.com
Introduction to Alternate Data Streams
Malwarebytes Labs

Last modified 3yr ago

Copy link

On this page

Execution

Observations

References