Hackers Hide with Clever Alternate Data Streams
74,848
Published 2024-04-02
Learn Cybersecurity - Name Your Price Training with John Hammond: nameyourpricetraining.com/
📧JOIN MY NEWSLETTER ➡ jh.live/email
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
🔥YOUTUBE ALGORITHM ➡ Like, Comment, & Subs
All Comments (21)
-
everyone is freaked out about the xz backdoor * jhon hammond :
-
34:32 "was i wrong all along? am i crazy?!".... this is as real as it gets lmao
-
A lot of people used to hide truecrypt volumes in alternate data streams back in the day. Great for exfil, unless the customer had a halfway decent DLP solution
-
We like the rambling John
-
Good content John....keep it goin mate.
-
10 minute crew
-
7:00 another way is via a symbolic link. Interestingly this can confuse programs that try to obtain their own executable path via Windows APIs, which could lead to additional vulnerabilities - for example, a program that tries to execute itself with arguments can be added as an ADS to an unrelated program executable, and it might launch that unrelated program with those arguments.
-
6:30 It is pwsh but you don't have the externally downloaded Powershell, just the one that comes bundled with Windows.
-
Awesome video John, keep up the good work (:
-
Thanks for the content John its perfect for students
-
A few months ago I tried to create a project around locating ADS…I should go back to that.
-
A lot of love letters will be written like this :face-blue-smiling:
-
That's a recall that some of these commands seem to truncate the input, there was some of these where I had to put a buffer on the front of The command because the front characters of the command were clipped for some reason. Like 14 characters would be missing. Lots of weird stuff in here
-
Amazing vid, keep it up
-
great contrib bro! I love to get new insights for stuff like this, I was never aware of that this is possible to be honest.
-
john, hope you see this. demonstration on xz when?
-
Wouldn't AMSI detect it if it were any malicious script in a suspiciously newly created datastream?
-
So, if someone has something hidden in an alternate stream of the C:\ file system object, then how do you get rid of it without wiping the drive. Also, is it possible to see the alternate stream if C:\ is mounted as a folder, perhaps on another drive?
-
@20:55 : you forgot 'wmic process call create" worked in cmd not in PS.
-
Awesome trick !!!! Could you explain why the ADS on C:\ never shows up ? (Maybe you did but I didn't get it ^^)