Hackers Hide with Clever Alternate Data Streams

75,927

1,820 0

Published 2024-04-02

jh.live/crowdsec || Get curated threat intelligence powered by the crowd, and contribute to better cybersecurity defense with CrowdSec: jh.live/crowdsec

Learn Cybersecurity - Name Your Price Training with John Hammond: nameyourpricetraining.com/

📧JOIN MY NEWSLETTER ➡ jh.live/email
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
🔥YOUTUBE ALGORITHM ➡ Like, Comment, & Subs

All Comments (21)

@pranavbanerjee8625 1 month ago

34:32 "was i wrong all along? am i crazy?!".... this is as real as it gets lmao
@oussemabenayech2345 1 month ago

everyone is freaked out about the xz backdoor * jhon hammond :
@BPL-Whipster 1 month ago

A lot of people used to hide truecrypt volumes in alternate data streams back in the day. Great for exfil, unless the customer had a halfway decent DLP solution
@simbad3311 1 month ago

Good content John....keep it goin mate.
@neutrino2211_ 1 month ago

We like the rambling John
@PANDACRAFTS1 1 month ago

Awesome video John, keep up the good work (:
@benjanssens8662 1 month ago

Thanks for the content John its perfect for students
@aryanhooshi 1 month ago

Amazing vid, keep it up
@timschannel247 1 month ago

great contrib bro! I love to get new insights for stuff like this, I was never aware of that this is possible to be honest.
@muizzsiddique 1 month ago

6:30 It is pwsh but you don't have the externally downloaded Powershell, just the one that comes bundled with Windows.
@kabaduck 1 month ago

That's a recall that some of these commands seem to truncate the input, there was some of these where I had to put a buffer on the front of The command because the front characters of the command were clipped for some reason. Like 14 characters would be missing. Lots of weird stuff in here
@N.... 1 month ago

7:00 another way is via a symbolic link. Interestingly this can confuse programs that try to obtain their own executable path via Windows APIs, which could lead to additional vulnerabilities - for example, a program that tries to execute itself with arguments can be added as an ADS to an unrelated program executable, and it might launch that unrelated program with those arguments.
@Notagamer347 1 month ago

10 minute crew
@socksman669 1 month ago

A few months ago I tried to create a project around locating ADS…I should go back to that.
@logikaibukfenc4599 1 month ago

@20:55 : you forgot 'wmic process call create" worked in cmd not in PS.
@darknode4791 1 month ago

Wouldn't AMSI detect it if it were any malicious script in a suspiciously newly created datastream?
@luckyloo2228 1 month ago

A lot of love letters will be written like this :face-blue-smiling:
@kabaduck 1 month ago

It's been a while since I played with this stuff, I do remember that sometimes I had to put double slashes between words in the command for it to work for whatever reason; I also found that sometimes I had to load it into a variable in the shell and then pass the variable to the command
@arandomguy9474 1 month ago

john, hope you see this. demonstration on xz when?
@farmuelangel6342 1 month ago

I can only say that you can find out if a file has something hidden in it's ADS BECAUSE it is a "function" ONLY for the NTFS file system, so you can realize if something is in there if you just try to copy the file to a fat32 file system and windows will complain that this file is going to loose it's properties...!! This means a lot about the file ....it is very suspicious .... but you cannot see the streams only to guess that something is wrong with this file...and do farther investigation on it. Otherwise if it doesn't show at lot and you are not suspicious you will never know.!!! With the above action you can be more suspicious and obviously will know something very strange is going on with this file...