Hackers Hide with Clever Alternate Data Streams

74,848

1,795 0

Published 2024-04-02

jh.live/crowdsec || Get curated threat intelligence powered by the crowd, and contribute to better cybersecurity defense with CrowdSec: jh.live/crowdsec

Learn Cybersecurity - Name Your Price Training with John Hammond: nameyourpricetraining.com/

📧JOIN MY NEWSLETTER ➡ jh.live/email
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
🔥YOUTUBE ALGORITHM ➡ Like, Comment, & Subs

All Comments (21)

@oussemabenayech2345 21 days ago

everyone is freaked out about the xz backdoor * jhon hammond :
@pranavbanerjee8625 21 days ago

34:32 "was i wrong all along? am i crazy?!".... this is as real as it gets lmao
@BPL-Whipster 21 days ago

A lot of people used to hide truecrypt volumes in alternate data streams back in the day. Great for exfil, unless the customer had a halfway decent DLP solution
@neutrino2211_ 21 days ago

We like the rambling John
@simbad3311 21 days ago

Good content John....keep it goin mate.
@Notagamer347 21 days ago

10 minute crew
@N.... 21 days ago

7:00 another way is via a symbolic link. Interestingly this can confuse programs that try to obtain their own executable path via Windows APIs, which could lead to additional vulnerabilities - for example, a program that tries to execute itself with arguments can be added as an ADS to an unrelated program executable, and it might launch that unrelated program with those arguments.
@muizzsiddique 21 days ago

6:30 It is pwsh but you don't have the externally downloaded Powershell, just the one that comes bundled with Windows.
@PANDACRAFTS1 21 days ago

Awesome video John, keep up the good work (:
@benjanssens8662 21 days ago

Thanks for the content John its perfect for students
@socksman669 21 days ago

A few months ago I tried to create a project around locating ADS…I should go back to that.
@luckyloo2228 21 days ago

A lot of love letters will be written like this :face-blue-smiling:
@kabaduck 21 days ago

That's a recall that some of these commands seem to truncate the input, there was some of these where I had to put a buffer on the front of The command because the front characters of the command were clipped for some reason. Like 14 characters would be missing. Lots of weird stuff in here
@aryanhooshi 21 days ago

Amazing vid, keep it up
@timschannel247 14 days ago

great contrib bro! I love to get new insights for stuff like this, I was never aware of that this is possible to be honest.
@arandomguy9474 21 days ago

john, hope you see this. demonstration on xz when?
@darknode4791 21 days ago

Wouldn't AMSI detect it if it were any malicious script in a suspiciously newly created datastream?
@snarkykat 14 days ago

So, if someone has something hidden in an alternate stream of the C:\ file system object, then how do you get rid of it without wiping the drive. Also, is it possible to see the alternate stream if C:\ is mounted as a folder, perhaps on another drive?
@logikaibukfenc4599 21 days ago

@20:55 : you forgot 'wmic process call create" worked in cmd not in PS.
@Freeak6 21 days ago

Awesome trick !!!! Could you explain why the ADS on C:\ never shows up ? (Maybe you did but I didn't get it ^^)