Steganography is the practice of concealing information within another message or physical object to avoid detection. This is well known technique used for hiding data, including text, image, video, or audio content inside another content. That hidden data is then might be easy extracted at its destination.
Under Windows OS, the NTFS file system has a feature called an Alternate Data Stream (ADS). This a little-known feature can fork data into an existing file without changing the size or functionality of the file. The destination object looks exactly the same as before. Such technique might be used to store sensitive information away from human eyes. Or, hiding malicious payload to provide backdoor access to infected system. According to MITRE, this is one of the most popular way to hide malicious payload on victim machine, referencing to ATT&CK Hide Artifacts -> NTFS File Attribute.
ADS is included in all versions of Microsoft’s NTFS file system, supported by all currently available version of Windows OS and may be used with windows shell (cmd.exe) or PowerShell. ADS is just file attribute that can only be found on the NTFS file system and named $Data. Basically, the $Data attribute of file has empty string but if not empty, it qualifies the data qualifies as an alternate. By default, all data is stored in a file’s main unnamed data stream, but by using the syntax ‘file:stream’, you are able to read and write to alternates. This feature might be used to write hidden data, abusing a original file. ADS can used for good reasons:
- Windows Resource Manager identifies high-risk files that should not be accessed with ADS.
- Attachment scanners use ADS to mark dangerous file and prevent downloading.
- ADS uses to encrypt files.
- A lot of Anti-Virus software uses ADS while scanning.
Now, let’s take a simple example, how to create and use Alternate Data Stream with cmd.exe and PowerShell. After, I will show you a ways to detect ADS hidden inside NTFS using Windows 10 host.
In this example, I will use Windows Command Prompt (cmd.exe) and harmless rubber duck image to store executable payload, in our case it will be ‘calculator.exe’. After, we will execute hidden payload. Let’s start hacking!
We have an original rubberduck.jpg file of 7615 bytes length, with no any hidden stream inside. To check for ADS, I use /r attribute while listing a directory:
Now, it is time to create data stream. First, prepare a ‘malicious’ payload copying calc.exe from Windows/System32:
> copy c:\Windows\System32\calc.exe .To create a simple ADS use type command and stream executable to $Data attribute of original file as payload.exe:
> type calc.exe > rubberduck.jpg:payload.exeJust clean up a folder after it is done and check:
There is an only original file with exactly the same length as before. Perfect! Our malicious executable just have been hidden inside an rubberduck.jpg.
Time to execute our trojan. The easiest way to do so is using forfiles command. We have to specify cmd.exe as an utility which able to run executable with /m attribute and targets to malicious file inside /c ‘command to run’:
> forfile /P c:\Windows\System32 /m cmd.exe /c "<path-to-file>\rubberduck.jpg:payload.exe"
calc.exe was executed as expected. So, let’s check a content with /r:
Here, we can see a $DATA stream created which contains a malicious payload.
So now, I should like to show a way how to list hidden content using PowerShell. This is pretty straightforward with:
PS> Get-Item * -Stream *To delete ADS just use Remove-Item and specify a steam to delete:
PS> Remove-Item .\rubberduck.jpg -Stream payload.exe 
There is a batch of tools which allows to detect and remove ADS, like almost all of anti-virus software. I only would like to keep your attention on one small tool, called Streams by Microsoft. Streams will examine the files and directories specified and inform you of the name and sizes of any named streams it encounters within those files.
That is it for now. It was a brief talk about how to use steganography and Alternate Data Stream under Windows NTFS to hide a payload executable within image. If you like a post, please comment or reach me out on Twitter CyberTechTalk.
See you, be an ethical, save your privacy!