Threat Research

Alternate Data Streams ? Adversary Defense Evasion and Detection [Guest Diary] – SANS Internet Storm Center

iocOne
Alternate Data Streams ? Adversary Defense Evasion and Detection [Guest Diary] – SANS Internet Storm Center

Adversaries use alternate data streams (ADS) in the Windows NTFS file system to hide and execute malicious files, evading detection by standard tools like File Explorer. Techniques such as T1564.004 are employed by threat actors like Indrik Spider using malware including BitPaymer ransomware. #AlternateDataStreams #BitPaymer #IndrikSpider

Keypoints

  • Alternate Data Streams (ADS) are a feature of Windows NTFS allowing hidden named data streams attached to files or directories, invisible in File Explorer.
  • Adversaries exploit ADS to hide malicious data and execute payloads discreetly, bypassing many defensive tools.
  • The BitPaymer ransomware, linked to the threat actor Indrik Spider, uses ADS to store and execute itself, generating significant financial gains.
  • Windows tools such as PowerShell, wmic, and rundll32 can directly execute code stored within ADS, facilitating stealthy malware operation.
  • Files with reserved Windows names (e.g., CON) can have ADS that are difficult to detect without using special path prefixes (“?”).
  • Detection can be enhanced by monitoring for file names containing colons and by using tools like Streams.exe and Streams64.exe combined with scheduled tasks to enumerate ADS regularly.
  • Automating ADS detection provides visibility into hidden streams and counters the stealth techniques used by sophisticated threat actors.

MITRE Techniques

  • [T1564.004] Hidden Files and Directories: Alternate Data Streams – Used to write and execute malicious payloads hidden in ADS. (“Adversaries want to complete their objectives and need to do so in a manner which evades detection… Mitre ATT&CK has documented… categorized by Mitre as T1564.004”)

Indicators of Compromise

  • [File Name & Path] Usage of alternate data streams including files with reserved names such as CON accessed using the prefix “?” – example: “?C:TempCON”
  • [File Hashes] Executable hidden in ADS such as “enumerateFiles.exe” executed via wmic (specific hashes not provided, example given)
  • [Command Line] Use of commands like “dir /r” and tools like Streams.exe / Streams64.exe to list ADS and detect hidden streams

Read more: https://isc.sans.edu/diary/rss/31990

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint