NTFS Stream Manipulation
In this lab we will see what the attack called NTFS Stream Manipulation consists of.
NTFS (New Technology File System)
NTFS is a proprietary Microsoft file system and was introduced as a replacement for earlier file systems such as FAT (File Allocation Table) and HPFS (High Performance File System) and incorporates technical improvements over these. Among some of the advantages NTFS it includes improved metadata support, improvements in disk space management, performance enhancements, an improved security system and a file encryption system called EFS (Encrypting File System).
Since Windows NT 3.1 it has been the default file system in the Windows NT family such as, for example, Windows Server 2008, Windows 7 and Windows 10 to name a few. It is supported on desktop and server operating systems. Support on Linux and BSD is possible through the NTFS Driver (NTFS-3G) which offers read and write support. On macOS read support is offered.
NTFS Alternate Data Streams
To be able to understand how the attack of NTFS Stream Manipulation, first we must know the basics about ADS (alternate data streams). ADS is a feature of the NTFS (NT File System) file system that allows more than one stream of data to be associated with the same file. Each file has its main content known as default stream and can have one or more ADS.
These streams of data use a particular format: fileName:streamName:streamType. For example a ADS whose stream is called payload and is hosted inside a file called malicious.txt would look like this: malicious.txt:payload:$DATA. It is worth noting that ADS can exist on any type of file, including executables. The content of ADS can be of any type and therefore does not need to be the same type as the file that contains it. For example an image file JPG can contain streams data of type video, audio, etc.
Another characteristic of ADS is that their size is not reported as part of the total size of the file that contains them and they also do not appear listed in widely used Windows applications such as Windows Explorer. A file containing one or more ADS also does not alter the original functioning of the file and it will continue to work as always. For these reasons, files with malicious ADS are quite common.
When copying or moving files that contain ADS to file systems that do not support Alternate Data Streams, the user receives a warning that the streams will be lost. However, this warning is not usually issued when files are attached by email or are uploaded to a web. In those cases all information of ADS that was contained in the file will be lost.
NTFS Stream Manipulation
The main idea behind the manipulation of NTFS Data Streams is to hide information inside another file, normally for malicious purposes. For example it allows an attacker to hide sensitive information collected from a system inside the user's own files without them noticing any change in their files. The attacker can then simply extract those apparently normal files from the target system taking with them all the relevant information stored in the ADS.
Let's see the basic use of ADS using the Windows command console
In this part of the lab we will see how we can create a text file and then add Alternate Data Streams with information only visible to NTFS.
To begin we open the Windows (cmd) console and create our first file, in this case a text file. For this we use the command echo , the content of our file and finally redirect everything to our file using the character > followed by the file name and extension we want to create. Let's see this in the console:
echo {content} > {file name}.{extension}
As we can see in the image, the file is created correctly and has a size of 36 bytes. We can use the command type to see its content:
Now, using again the command echo as we did in step 1, we will add the first Alternate Data Stream to our file. The only difference is that in this case we must indicate the name of the stream. Let's see this in the console:
As we can see the stream seems to have been added without error and our file reports the same size of 36 bytes. We also see that nowhere is it reported that there is a ADS in the file. This is precisely what makes ADS a good option to hide information without the user noticing.
Let's add a second ADS and see how we can obtain information from them in the console:
To see the content of additional data streams that a file may contain, we use the command dir /r which lists files including their . As we can see in the previous image the reported size of the file remains the same ADSeven though it contains two 36 bytes 23 bytes ADS version of each. If we pay attention to the available disk space after creating the file and after each creation of the , we can observe that ADSdoes correctly keep track of how much space is actually being used. NTFS If we open the file with Notepad we see that only the data of the
are presented default stream:
If we want to edit or view the content of each ADS, we must invoke it directly as follows:
As we said before the content of an ADS can be of any format just like the file that contains them. It is worth noting that Alternate Data Streams can be added to directories in the same way as withfiles. Let's see this quickly in the console:
As we can observe in the image the folder DIRECTORY contains a ADS To Domains [Sharing this NS] ADS1.
ADS with PowerShell
PowerShell includes certain commands (cmdlets) that make it easier to work with ADS. Let's see how we can list the ADS present in the file we have created in this lab:
In the case of PowerShell, the default stream it is known as unnamed stream, or unnamed stream since it appears listed simply as :$DATA.
To view the content for example of the ADS2, we can use the command Get-Content as follows:
If we want to add content to the ADS we can do it with the command Set-Content. Let's see how we can add inside a new text file a ADS To Domains [Sharing this NS] payload that contains a executable file such as for example the classic Microsoft Paint. For that we use the following command:
Set-Content -path .\NTFS_ADS_DEMO.txt -value $(Get-Content $(Get-Command mspaint.exe).Path -readcount 0 -encoding byte) -encoding byte -stream payload.exeIn this command we explicitly indicate the encoding for the bytes, the readcount to 0 (to read the file in a single operation and the command Get-Command to quickly obtain the path of mspaint.exe without having to specify it manually. Then we simply indicate the name of the stream that we want to add using the switch -stream {streamName}.
As we can see in the image, our text file contains a new ADS. Let's see how we can execute that ADS which we know contains an executable file. To achieve this we can use Windows Management Instrumentation to create a process that executes our ADS.
This method of executing files using wmic seems to have been patched in Windows in the version I have in the VMs therefore when trying to execute it both in CMD and in Powershell I get an error and the program does not run. In vulnerable versions of Windows, the program would be executed directly and in our case we would see mspaint.exe running. I will investigate a bit more about other ways to execute ADS in updated versions of Windows, if I find any I will update this article.
Update: After several attempts I managed to add the content of the Windows calculator calc.exe to our practice file and execute it correctly using wmic:
As we see when the command runs correctly it generates a new process which returns a ProcessId = 4344 and a ReturnValue = 0 indicating that the process completed successfully. I do not understand why the initial attempt did not work, perhaps it is the executable of mspaint.exe or some error that I am making and cannot realize. If you notice the problem, let me know with a tweet to my account @tzero86.
If we want to delete a ADS in particular we can use the cmdlet Remove-Item as follows. For example to remove our ADS To Domains [Sharing this NS] payload:
Remove-Item -Path .\NTFS_ADS_DEMO.txt -stream payload
As we can see our file now contains only two ADS additional. Up to here we saw and practiced a bit NTFS Stream Manipulation.
Last updated
Was this helpful?