🦖Day 84 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Windows.NTFS.ADSHunter

Author: @mgreen27

Link:
https://docs.velociraptor.app/artifact_references/pages/windows.ntfs.adshunter

----

Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every NTFS partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition.

Within MFT entries are file attributes, such as Extended Attributes (EA) and Alternate Data Streams or (ADSs) when more than one Data attribute is present. The stream can be used to store arbitrary data (and even complete files).

Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus.

https://attack.mitre.org/techniques/T1564/004/

----

BitPaymer, a ransomware variant, has been known to leverage ADSs by copying itself to an ADS called ':bin', then creating a process from the stream.

https://attack.mitre.org/software/S0570/

https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/

----

This artifact hunts for alternate data streams using a variety of options for targeting, including:

- Directory
- ADS name (inclusion or exclusion)
- ADS Content
- Minimum content size
- Maximum content size

Once found, a stream can also be uploaded to the Velociraptor server.

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

If you would like to experiment with ADSs for yourself, check out the link to the associated Atomic Red Team tests below!

https://atomicredteam.io/defense-evasion/T1564.004/

#DFIR
#Forensics
#Infosec
#T1564.004
#ThreatHunting
#Windows