Hackers Hide with Clever Alternate Data Streams
75,927
Published 2024-04-02
Learn Cybersecurity - Name Your Price Training with John Hammond: nameyourpricetraining.com/
š§JOIN MY NEWSLETTER ā” jh.live/email
šSUPPORT THE CHANNEL ā” jh.live/patreon
š¤ SPONSOR THE CHANNEL ā” jh.live/sponsor
šFOLLOW ME EVERYWHERE ā” jh.live/twitter ā jh.live/linkedin ā jh.live/discord ā jh.live/instagram ā jh.live/tiktok
š„ SEND ME MALWARE ā” jh.live/malware
š„YOUTUBE ALGORITHM ā” Like, Comment, & Subs
All Comments (21)
-
34:32 "was i wrong all along? am i crazy?!".... this is as real as it gets lmao
-
everyone is freaked out about the xz backdoor * jhon hammond :
-
A lot of people used to hide truecrypt volumes in alternate data streams back in the day. Great for exfil, unless the customer had a halfway decent DLP solution
-
Good content John....keep it goin mate.
-
We like the rambling John
-
Awesome video John, keep up the good work (:
-
Thanks for the content John its perfect for students
-
Amazing vid, keep it up
-
great contrib bro! I love to get new insights for stuff like this, I was never aware of that this is possible to be honest.
-
6:30 It is pwsh but you don't have the externally downloaded Powershell, just the one that comes bundled with Windows.
-
That's a recall that some of these commands seem to truncate the input, there was some of these where I had to put a buffer on the front of The command because the front characters of the command were clipped for some reason. Like 14 characters would be missing. Lots of weird stuff in here
-
7:00 another way is via a symbolic link. Interestingly this can confuse programs that try to obtain their own executable path via Windows APIs, which could lead to additional vulnerabilities - for example, a program that tries to execute itself with arguments can be added as an ADS to an unrelated program executable, and it might launch that unrelated program with those arguments.
-
10 minute crew
-
A few months ago I tried to create a project around locating ADSā¦I should go back to that.
-
@20:55 : you forgot 'wmic process call create" worked in cmd not in PS.
-
Wouldn't AMSI detect it if it were any malicious script in a suspiciously newly created datastream?
-
A lot of love letters will be written like this :face-blue-smiling:
-
It's been a while since I played with this stuff, I do remember that sometimes I had to put double slashes between words in the command for it to work for whatever reason; I also found that sometimes I had to load it into a variable in the shell and then pass the variable to the command
-
john, hope you see this. demonstration on xz when?
-
I can only say that you can find out if a file has something hidden in it's ADS BECAUSE it is a "function" ONLY for the NTFS file system, so you can realize if something is in there if you just try to copy the file to a fat32 file system and windows will complain that this file is going to loose it's properties...!! This means a lot about the file ....it is very suspicious .... but you cannot see the streams only to guess that something is wrong with this file...and do farther investigation on it. Otherwise if it doesn't show at lot and you are not suspicious you will never know.!!! With the above action you can be more suspicious and obviously will know something very strange is going on with this file...