T1096: Alternate Data Streams

Execution

Creating a benign text file:

attacker@victim

echo "this is benign" > benign.txt
Get-ChildItem

Hiding an evil.txt file inside the benign.txt

attacker@victim

cmd '/c echo "this is evil" > benign.txt:evil.txt'

Note how the evil.txt file is not visible through the explorer - that is because it is in the alternate data stream now. Opening the benign.txt shows no signs of evil.txt. However, the data from evil.txt can still be accessed as shown below in the commandline - type benign.txt:evil.txt:

Additionally, we can view the data in the notepad as well by issuing:

attacker@victim

notepad .\benign.txt:evil.txt

Observations

Note that powershell can also help finding alternate data streams:

Get-Item c:\experiment\evil.txt -Stream *
Get-Content .\benign.txt -Stream evil.txt

References

Hide Artifacts: NTFS File Attributes, Sub-technique T1564.004 - Enterprise | MITRE ATT&CK®attack.mitre.org

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/providers/filesystem-provider/get-item-for-filesystem?view=powershell-6docs.microsoft.com

Introduction to Alternate Data Streams | Malwarebytes LabsMalwarebytes

PreviousT1099: Timestomping NextT1158: Hidden Files

Last updated 4 years ago

hashtagExecution

hashtagObservations

hashtagReferences

Execution

Observations

References