Skip to content

Latest commit

 

History

History
63 lines (40 loc) · 1.61 KB

t1096-alternate-data-streams.md

File metadata and controls

63 lines (40 loc) · 1.61 KB

Alternate Data Streams

Execution

Creating a benign text file:

{% code title="attacker@victim" %}

echo "this is benign" > benign.txt
Get-ChildItem

{% endcode %}

Hiding an evil.txt file inside the benign.txt

{% code title="attacker@victim" %}

cmd '/c echo "this is evil" > benign.txt:evil.txt'

{% endcode %}

Note how the evil.txt file is not visible through the explorer - that is because it is in the alternate data stream now. Opening the benign.txt shows no signs of evil.txt. However, the data from evil.txt can still be accessed as shown below in the commandline - type benign.txt:evil.txt:

Additionally, we can view the data in the notepad as well by issuing:

{% code title="attacker@victim" %}

notepad .\benign.txt:evil.txt

{% endcode %}

Observations

Note that powershell can also help finding alternate data streams:

Get-Item c:\experiment\evil.txt -Stream *
Get-Content .\benign.txt -Stream evil.txt

References

{% embed url="https://attack.mitre.org/wiki/Technique/T1096" %}

{% embed url="https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/providers/filesystem-provider/get-item-for-filesystem?view=powershell-6" %}

{% embed url="https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/" %}