[This is a Guest Diary by Ehsaan Mavani, an ISC intern as part of the SANS.edu BACS program]
Introduction
Adversaries are leveraging alternate data streams to hide malicious data with the intent of evading detection. Numerous different malicious software has been designed to read and write to alternate data streams [1]. To better assist in detecting and responding to cyber threats, it is important that we understand what an alternate data stream is, ways to discretely write to an alternate data stream, and tools that can assist in detecting alternate data streams.
Alternate Data Stream
Every file on a Windows NTFS file system has a default unnamed data stream. This is the mainstream which stores the files data and can be easily viewed with File Explorer. Alternate Data Streams are a Microsoft Windows New Technology File System (NTFS) feature which was added to help support Apple’s Hierarchical File System (HFS) [2]. An Alternate Data Stream is different from the default unnamed mainstream. Alternate Data Streams are named and are not visible within File Explorer [3]. This gives us the capability to write data to a known good files alternate data stream. Essentially, we are able to hide malicious or secret files inside of an innocuous file which can’t be seen in File Explorer.
Directories can also have alternate data streams. Unlike files, directories do not have a default data stream. Instead, they have a default directory stream [3].
Why does this matter?
Adversaries want to complete their objectives and need to do so in a manner which evades detection. If our defensive tools and processes don’t scrutinize alternate data streams, adversaries are going to take advantage of our defensive blind spots. Sophisticated threat actors have been using alternate data streams to write and read data. Mitre ATT&CK has documented several skilled groups and malicious software that use this technique, categorized by Mitre as T1564.004 [1].
As a case study, the group known as Indrik Spider [4] has been operating the malicious software BitPaymer [4] to launch targeted ransomware campaigns. In 2017, BitPaymer was first identified being used to ransom the U.K.’s National Health Service, demanding 53 bitcoins. Once a computer has been compromised, the BitPaymer malware attempts to run from an alternate data stream. If it is not being run from an alternate data stream, it automatically creates a file and copies itself to the arbitrarily named alternate data stream ‘bin’. The BitPaymer ransomware has netted Indrik Spider $1.5M USD in the first 15 months of operations [4].
Writing & Reading an Alternate Data Stream
I created an empty directory and ran the commands below. When I wrote data to a nonexistent files alternate data stream, Windows automatically created the files default mainstream with no data. Windows also created an alternate data stream with the name ‘secret’, which I specified. Alternate data streams can be named using all Unicode characters except for backslash, forward slash, colon, and control character 0x00. A stream name can be no more than 255 characters in length [5].
1. Write data to a text file’s alternate data stream which I named ‘secret’
2. List directory contents. Windows created file.txt’s default data stream with 0 bytes of data. The alternate data stream ‘secret’ is not visible. Viewing the directory contents in File Explorer will also only show file.txt with 0 bytes of data.
3. Using dir /r to display alternate data streams of files. file.txt:secret will not be shown in File Explorer
4. Displays contents of the text file’s main data stream. Nothing is outputted onto the screen because there is no data in file.txt’s main data stream. Opening the file in Notepad.exe will also show an empty file.
5. Explicitly specify the filename and the stream name to read data
Figure 1 Writing, reading, and displaying a file alternate data stream
Executing Alternate Data Streams
Alternate data streams can be directly executed by many Windows tools [6]. Powershell, rundll32, wmic, wscript, and cscript are some of the tools that are capable of executing binaries in alternate data streams. These are all legitimate tools that are pre-installed on Windows operating systems.
I created an executable that enumerates all files on a victim machine, sending the results to an attacker-controlled web server via URL encoded GET requests. I hid the executable inside of an alternate data stream. The executable was successfully run with wmic.
Figure 2 Executing enumerateFiles.exe in GoodFile’s alternate data stream
Alternate Data Streams in Reserved Names
There are special reserved names in Microsoft Windows that cannot be used for file names [7]. CON is one of those unique reserved file names. If you try to create a file with the name CON using File Explorer, Windows will display an error, preventing the creation of the file.
Figure 3 Windows error when creating a file with a reserved name in File Explorer
Interestingly, it is possible to circumvent this error and successfully create a file with a reserved name by utilizing special prefixes [8]. “\?” is a prefix that can be used to tell the Windows API to disable string parsing, sending the string that follows the prefix straight to the file system [7].
Even more insidious, alternate data streams written to files with reserved names are not visible to directory listings with dir /r unless the prefix “\?” is added to the file path. In order to read, write, and delete the file, the prefix “\?” must be added to the file path.
1. Write data to the alternate data stream of a file with the reserved name CON. To create this file, the prefix “\?” must be included
2. List directory contents with dir /r. The file CON is visible, but the alternate data stream is not visible. If navigating to “C:Temp” within File Explorer, this file and the file’s alternate data stream will not be visible.
3. List directory contents with dir /r and the absolute file path of CON with “\?” prepended. The alternate data stream is visible. If navigating to “\?C:Temp” within File Explorer, this file will be visible, but the alternate data stream will not be visible.
Figure 4 Writing data to the alternate data stream of a reserved name
Detecting Alternate Data Streams in Files
Alternate data streams are part of the Windows NTFS file system and cannot be disabled. Understanding how adversaries create and interact with alternate data streams can help us detect and respond to suspicious streams [6]. Due to their naming convention, it is possible to create a detective control that monitors for reading, writing, or executing file names that contain a colon. Mitre has published Splunk queries that identify the execution of alternate data streams with common Windows tools [9]. To gain visibility into the different streams that exist, tools such as dir /r and Streams.exe [10], part of the Microsoft Sysinternals suite, can be used. It’s important to note that both tools mentioned can only view the streams of files with reserved names if the prefix “\?” is added before the absolute file path. On a Windows 64-bit operating system, Streams.exe was not able to find streams in the %systemroot%System32 directory. Streams64.exe was successful in finding streams in the System32 directory.
As a starting point, I created a daily scheduled task to identify alternate data streams for all files in the %systemroot%System32 directory recursively with Streams64.exe. The output is saved to a text file with the timestamp as the filename. This gives us the capability to track and analyze the addition of new streams over time.
The scheduled task starts cmd.exe with the argument /c C:pathtostreams64.exe -s -nobanner %systemroot%System32 > C:pathtooutputADS_%date:~10,4%_%date:~4,2%_%date:~7,2%.txt
Figure 5 Using FC to compare the files automatically created with Streams64.exe and task scheduler
Unless we monitor for alternate data streams, they remain an invisible safe haven for threat actors to write and potentially execute malicious binaries. Manually finding streams within our Windows NTFS file systems is unscalable. Command line tool can be used with task scheduler to periodically enumerate streams. Automating this process helps us gain visibility into streams that may be hiding on our systems.
[1] https://attack.mitre.org/techniques/T1564/004/
[2] https://www.irongeek.com/i.php?page=security/altds
[3] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
[4] https://www.crowdstrike.com/en-us/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/
[5] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/5953f072-b28c-4fbf-ae50-09b0173317b9
[6] https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
[7] https://learn.microsoft.com/en-us/windows/win32/fileio/naming-a-file
[8] http://www.sourceconference.com/publications/bos10pubs/Windows%20File%20Pseudonyms.pptx
[9] https://car.mitre.org/analytics/CAR-2020-08-001/
[10] https://learn.microsoft.com/en-us/sysinternals/downloads/streams
[11] https://www.sans.edu/cyber-security-programs/bachelors-degree/
———–
Guy Bruneau IPSS Inc.
My GitHub Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.