This article explains the exploitation of Alternate Data Streams (ADS) in Windows, detailing how attackers can hide malicious payloads and backdoors within legitimate files to evade detection. The piece walks through creating and executing commands that leverage ADS to conceal harmful executables. Affected: Windows, cybersecurity sector
Keypoints :
- ADS stands for Alternate Data Streams, a feature of NTFS designed for compatibility with MacOS HFS.
- Files on NTFS have two streams: the data stream (containing the file’s data) and the resource stream (typically holding metadata).
- Attackers can use ADS to hide malicious code or executables in legitimate files, evading basic antivirus detection.
- A proof of concept involves creating a file and embedding a malicious payload in its resource stream.
- Commands like ‘notepad test.txt:secret.txt’ allow the creation of hidden files within the resource stream.
- The original file size remains unchanged even after embedding the ADS data.
- Using an example executable, attackers can hide a payload by redirecting its content into a legitimate file’s resource stream.
- Creating a symbolic link in System32 can trigger the execution of the hidden payload when a specified command is entered.
- This technique highlights a vulnerability that can aid attackers in avoiding detection by basic security systems.
Views: 19