This is about … .
Alternate data streams. To ensure compatibility between NTFS and HFS. Allows hiding files.
C:\type C:\mal.exe > C:\readme.txt:naughty.exe start readme.txt:naughty.exe C:\mklink innocent.exe readme.txt:naughty.exe
to run innocent.exe But dir /r - will display all streams. LNS and Sfind will hunt down such files. Also, when you copy files from and to a FAT partition - all residual files will be deleted.
On Windows machines (NTFS file system) it’s possible to “append” a file to another file in such a way that this files is not visible with standard tools. This notion is called an alternate data stream. There are several problems that arise in this case:
The host file’s hash is not changed, because technically it is not a part of this file. To check - fciv. The host file’s size is not changed, again, because technically it is not a part of this file. These files are not visible for the file system and therefore, such tools as cmd, PowerShell, Explorer or others won’t see them if don’t know the magic 🪄 word. Even if you run type filewithlitter.txt you won’t see the stream file’s contents, only the original one’s.
How to create an ADS
type litter.txt > host.txt:litterhidden.txt
How to check a directory for an ADS
streams -s <directory>
How to get a file from a stream
You need to know its name to be able to reference it:
If you find a program file with an executable attached, it’s almost always means something malicious is in place. Sometimes, attackers might hide the extension. In this case, the file size might be a good reason to dig deeper.
How to delete the stream
streams -s -d <directory>. Quite dangerous since you might delete something good instead. Some system files are stored as streams for legitimate reasons. Why, btw?