Alternative data stream
Alternate data streams. Specific for Windows. See more here. Are there such streams for other OS? If yes, how to make them and discover them?
To ensure compatability between NTFS and HFS. Allows hiding files.
C:\type C:\mal.exe > C:\readme.txt:naughty.exe start readme.txt:naughty.exe C:\mklink innocent.exe readme.txt:naughty.exe # to run innocent.exe
dir /r - will display all streams. LNS and Sfind will hunt down such files. Also, when you copy files from and to a FAT partition - all residual files will be deleted.
As an example, see
HKEY_USERS/Software/Microsoft/Internet Explorer/Scripts/1. Doesn’t have anything. Add Multistring value, name “Hidden data”, click key and start with random data like
0x111110000 to make it look legitimate, press many spaces to hide it from preview. Add some secret data, ignoring warnings about empty strings. Now, it will be difficult to find this.
💡 Interesting idea for security policies. Everyday automatically run RegShot upon system start and before turning off to see the changes everyday. In case of an incident, there might be very helpful. How costy would that tactics be?
Possible for any OS. Examples for Windows might include macros. For Office doc -
File -> Info -> Comments. Click file and properties -> Details. Other fields can be used to store information. In case of Office docs, most of the data is not the contents, but formatting and metadata. When adding comments, file’s last accessed and modified dates are updates and the file size is increased.
- Metadata Assistant. Commercial. Not too expensive. bulb 💡 May be I should write a python tool that does the same?
grep- simple string search for known case-specific keywords.
Logs can be disabled, cleared or tamprered. The noisest is to diable them or clear. Although the evidence is deleted this way, this is a very strong indicator that the sysmtem was compromised.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog allows to change log location. By default, logs are here:
MRU- most recently used
- turnoff Autocomplete
- clear Toolbar
C:\auditpol \\targetIPaddress /disable delete recent docs.
$BadClus file to mark a block of sectors to be skipped by file system (NTFS). 🛠 Metasploit can do it.
In case of FAT systems, they read the root directory from top to bottom and stop at the directory starting with
0x0. Anything past that value is not seen by the OS. Sometimes there might be information hidden there. More here.
Service Hijacking and Replacement.
WebShells and Beacons.
Signing Code with Valid Cert.
 Hiding data in the registry, M. Suhanov