This is about … .
Alternate data streams. To ensure compatability between NTFS and HFS. Allows hiding files.
C:\type C:\mal.exe > C:\readme.txt:naughty.exe start readme.txt:naughty.exe C:\mklink innocent.exe readme.txt:naughty.exe
to run innocent.exe But dir /r - will display all streams. LNS and Sfind will hunt down such files. Also, when you copy files from and to a FAT partition - all residual files will be deleted.
On Windows machines (NTFS file system) itโs possible to โappendโ a file to another file in such a way that this files is not visible with standard tools. This notion is called an alternate data stream. There are several problems that arise in this case:
The host fileโs hash is not changed, because technically it is not a part of this file. To check - fciv. The host fileโs size is not changed, again, because technically it is not a part of this file. These files are not visible for the file system and therefore, such tools as cmd, PowerShell, Explorer or others wonโt see them if donโt know the magic ๐ช word. Even if you run type filewithlitter.txt you wonโt see the stream fileโs contents, only the original oneโs.
How to create an ADS
type litter.txt > host.txt:litterhidden.txt
How to check a directory for an ADS
streams -s <directory>
How to get a file from a stream
You need to know its name to be able to reference it:
notepad host.txt:litterhidden.txt
If you find a program file with an executable attached, itโs almost always means something malicious is in place. Sometimes, attackers might hide the extension. In this case, the file size might be a good reason to dig deeper.
How to delete the stream
streams -s -d <directory>. Quite dangerous since you might delete something good instead. Some system files are stored as streams for legitimate reasons. Why, btw?