ADS and its applications

What are Alternate Data Streams(ADS)?

Alternate Data Stream (ADS) is the ability of an NTFS file system (the main file system format in Windows) to store different streams of data, in addition to the default stream which is normally used for a file. When this feature was created, its main purpose was to provide support to the macOS Hierarchical File System (HFS).

The NTFS file system contains files with attributes. The relevant attribute for our scope is the $DATA attribute, which is used to store the data streams of a file.

In the past, it was common to store a malicious payload within an ADS of a legitimate file. But today, many security solutions will detect and scan ADSs’. However, we will discuss that ADS can still be used to exfiltrate data through firewalls and network scanners, without raising any red flag.

Effect of ADS:

1. No change in hash of file.
2. No change in properties of file.
3. Even with hex-editor or hex dump, we can’t see the hidden files signature.
4. On the deletion of primary stream, all the secondary streams are also deleted.
5. Unlimited amount of data streams can be attached to a file.(any size)
6. Each primary stream can have at most 4106 streams attached to it.

Creation of ADS and attaching it to a file:

Alternate Data Streams are extremely easy to make and require little or no skill on the part o the hacker. Common DOS commands like “type” are used to create an ADS. These commands are used in conjunction with a redirect [>] and colon [:] to fork one file into another.

“type c:\anyfile.exe > c:\winnt\system32\calc.exe:anyfile.exe”

The above command will fork the common windows calculator program with an ADS “anyfile.exe.”

Invoking an ADS

There are literally enormous amount of ways to invoke ADS. Some of the most common ways of invoking ADS are:

1. Get-Item

Invoke ADS using Powershell

The above example shows invoking of ADS using powershell command Get-Item.

2. WMI

"type c:\temp\cid.exe > "C:\program files (x86)\autogen.log:bginfo.exe"
"wmic process call create '"C:\program files (x86)\autogen.log:bginfo.exe"'

Windows Management Instrumentation (WMI) is a set of specifications from Microsoft for consolidating the management of devices and applications in a network from Windows computing systems. The WMI forms perfect option for invoking ADS.

A well organized and huge list is given here:(it has more than 30 methods of invoking ADS)

Putting data in Alternate data streams and how to execute it

6) Removal of ADS:

Removing ADS is not always advisable. Some of them are needed for the proper use of the software that created the streams. So make sure you have done your research before removing them. The syntax is:

remove-item –path {path to the file} –stream {name of the stream}

Data Exfiltration using ADS:

Data exfiltration is a technique used by malicious actors to target, copy, and transfer sensitive data. Data exfiltration can be done remotely or manually and can be extremely difficult to detect given it often resembles business-justified (or “normal”) network traffic. Common targets include financial records, customer information, and intellectual property/trade secrets. Data exfiltration is an integral part of malware kill-chain process, where we stop malware from leaking data out from organization in an stealthy way.

Though security softwares are very well trained to check inbound files for ADS(if it contains malware), but unfortunately, some of them fail to check outbound files for presence of ADS. These outbound traffic may contain sensitive data in small thunks in form of ADS.

One of the application of ADS has been data exfiltration :

In the above image, we use type command to append a file(here nessus.rar) to a much smaller pdf file. The peculiar attribute of Alternate Data Stream is the changes it makes to the file are not visible to end user very easily.( until one used dir with \r attribute or use tools like streams).

As shown in above image, the file has 2 files appended in ADS of the PDF file. The size and attribute of original file remains same as well as the hash signatures.

Now, this file is ready to be exfiltrated, and it can be combined with advanced exfiltration techniques like using windows sub-domains to upload files, or using social media sites like Facebook to exfiltrate it out.

My final thoughts:

ADS is an integral part of NTFS, thus it cannot be removed. ADS is not a new stuff as it has been used extensively for malware delivery from nearly 2 decades. But newer applications of ADS makes work of security professionals more challenging and forces security products to make some changes in them. Deep Packet inspection softwares should be made more robust to prevent newer applications of ADS. ( like exfiltration of data through ADS)