Hacking Awareness & Alternate Data Streams (ADS)

by Daniel Simpson 0 Comments

The Watch Commander’s Log is a series that provides a direct view into the threats Agio’s Managed Detection and Response (MDR) team handles for our clients. If you have questions about anything you read here, please feel free to reach out to us at mdrbriefings@agio.com. If you are a current Agio MDR client, you can also reach out to your assigned MDR analyst.  

This post highlights some of the common technology—alternate data streams (ADS)—that bad actors may use against systems to orchestrate attacks and what that looks like.

ADS is a feature of the NTSF file system. NTSF lets anyone add a bit of data to a file that an average user can’t necessarily view. Why was it created if it can potentially hide information? Because Microsoft needed a method to aid in supporting the Hierarchical File System (HFS), which supports Mac OS.

ADS is not bad technology, and to this day, every Windows system will have files that have ADS information in them. Anti-malware software can detect and scan against these types of files if the content is malicious—this is good news. But the unfortunate news is that ADS may be used as a cog within some malicious orchestration, which may not be detected.

What does ADS look like?

Below is a simple text file I created for demonstration purposes. As you can see, it is very simple—there’s no out-of-the-ordinary content to the file.

Here’s how that file content looks in PowerShell. I’m presenting this view so everyone can see that there is nothing up the proverbial “magician’s sleeve.”

Regarding any appearance of multiple data streams within a file, the default container for data will be usually be called something like $DATA. I’ve created an alternate stream from the above example, ADSTestingFile.txt. Notice that there is a $DATA stream within the file, but check out what else was added—EvilPayload stream with a length of 166 characters!

The image below shows the contents of the streams within the file. Take a look at the 166-character code that is contained within the script. This is some obfuscation via Base64 encoding!

Is your curiosity piqued? Let me explain what that encoding is about. Attackers will take extra steps to hide themselves on your system. If hiding in ADS isn’t enough, they’ll add another layer to their code to help dodge defensive mechanisms. Because this looks like base64, sounds like base64, it must be base64 encoding. There are several tools on the Internet you could use to decode this type of encoding.

In summary, an attacker could send an inconspicuous file with an additional stream that can be used in their malicious orchestration. They may also use this technology to exfiltrate data from inside an organization’s infrastructure, or in part of using system tools against a user, such as Notepad or calculator.

If you have questions about anything you read here, please feel free to reach out to us at mdrbriefings@agio.com. If you are a current Agio MDR client, you can also reach out to your assigned MDR analyst.