This page looks best with JavaScript enabled

Malicious Alternate Data Streams In Windows

 ·  β˜• 1 min read  ·  🐱 thik

αž‡αžΆαž‚αŸ„αž›αž‚αŸ†αž“αž·αžαž€αŸ’αž“αž»αž„αž€αžΆαžšαž›αžΆαž€αŸ‹ Payload αž€αŸ’αž“αž»αž„ ADS αžŠαŸ„αž™αž”αŸ’αžšαžΎαž”αŸ’αžšαžΆαžŸαŸ‹ Certutil αŸ”

Generate ADS

αžαžΆαž„αž€αŸ’αžšαŸ„αž˜αž‡αžΆαžŠαŸ†αžŽαžΎαžšαž€αžΆαžšαž€αŸ’αž“αž»αž„αž€αžΆαžšαž›αžΆαž€αŸ‹ Payload Strings αž“αŸ…αž€αŸ’αž“αž»αž„ ADS αžŠαŸ„αž™αž”αŸ’αžšαžΎαž”αŸ’αžšαžΆαžŸαŸ‹αž–αžΆαž€αŸ’αž™αž”αž‰αŸ’αž‡αžΆαžŠαŸ‚αž›αž˜αžΆαž“αžŸαŸ’αžšαžΆαž”αŸ‹αž€αŸ’αž“αž»αž„ Powershell αŸ”

αž”αžΎαž€αž•αŸ’αž‘αžΆαŸ†αž„ CMD αžšαž½αž…αžœαžΆαž™αž–αžΆαž€αŸ’αž™αž”αž‰αŸ’αž‡αžΆαžαžΆαž„αž€αŸ’αžšαŸ„αž˜αŸ–

1

echo payload > hello.txt:payload.bin

αž–αžΆαž€αŸ’αž™ payload αž“αžΉαž„αžšαž€αŸ’αžŸαžΆαž‘αž»αž€αž“αŸ…αž€αŸ’αž“αž»αž„ ADS αžŠαŸ‚αž›αž˜αžΆαž“αžˆαŸ’αž˜αŸ„αŸ‡αžαžΆ payload.bin αŸ” αžŠαžΎαž˜αŸ’αž”αžΈαž€αŸ‚αž”αŸ’αžšαŸ‚αžœαžΆαžœαž·αž‰αž™αžΎαž„αž’αžΆαž…αž”αŸ’αžšαžΎαž”αŸ’αžšαžΆαžŸαŸ‹αž€αž˜αŸ’αž˜αžœαž·αž’αžΈ Notepad αžŠαžΎαž˜αŸ’αž”αžΈαž”αžΎαž€αž˜αžΎαž›αž“αž·αž„αž€αŸ‚αž”αŸ’αžšαŸ‚αžœαžΆαž”αžΆαž“ αžŠαŸ„αž™αžœαžΆαž™αž–αžΆαž€αŸ’αž™αž”αž‰αŸ’αž‡αžΆαžŠαžΌαž…αžαžΆαž„αž€αŸ’αžšαŸ„αž˜αŸ–

1

notepad hello.txt:payload.bin

Generate ADS

Certutil

αž”αž„αŸ’αž€αžΎαž Payload αžŠαŸ„αž™αž”αŸ’αžšαžΎαž”αŸ’αžšαžΆαžŸαŸ‹ Metasploit / Cobalt Strike / DCRat αŸ”αž›αŸ” αž”αž“αŸ’αž‘αžΆαž”αŸ‹αž˜αž€αž’αŸ’αžœαžΎαžœαžΆαž²αŸ’αž™αž‘αŸ…αž‡αžΆ Cert File αžŠαŸ„αž™αžœαžΆαž™αž–αžΆαž€αŸ’αž™αž”αž‰αŸ’αž‡αžΆαž“αŸ…αž€αŸ’αž“αž»αž„ Powershell αžŠαžΌαž…αžαžΆαž„αž€αŸ’αžšαŸ„αž˜αŸ–

1

certutil -encode ./payload.exe payload.txt

Encode Certutil Payload

αž”αž“αŸ’αž‘αžΆαž”αŸ‹αž˜αž€αž…αž˜αŸ’αž›αž„αž“αž·αž„αžšαž€αŸ’αžŸαžΆαž‘αž»αž€αž“αžΌαžœαž…αŸ†αž“αž½αž“αž’αž€αŸ’αžŸαžšαžŠαŸ‚αž›αž˜αžΆαž“αž€αŸ’αž“αž»αž„αž―αž€αžŸαžΆαžš payload.txt αž‘αžΆαŸ†αž„αž’αžŸαŸ‹αž…αžΌαž›αž‘αŸ…αž€αŸ’αž“αž»αž„αž―αž€αžŸαžΆαžš payload.bin αžŠαŸ‚αž›αž”αžΆαž“αž”αžΎαž€αž‘αžΎαž„αž€αŸ’αž“αž»αž„αžŠαŸ†αžŽαžΆαž€αŸ‹αž€αžΆαž›αž‘αžΈ ៑ αŸ”

Decode Certutil Payload

PWN The Payload

αžŠαžΎαž˜αŸ’αž”αžΈαžαŸ’αžšαž›αž”αŸ‹αž―αž€αžŸαžΆαžšαž˜αŸαžšαŸ„αž‚αžŠαŸ‚αž›αž›αžΆαž€αŸ‹αž“αŸ…αž€αŸ’αž“αž»αž„αž―αž€αžŸαžΆαžš ADS(payload.bin) αž™αžΎαž„αž’αžΆαž…αž”αŸ’αžšαžΎαž”αŸ’αžšαžΆαžŸαŸ‹αž–αžΆαž€αŸ’αž™αž”αž‰αŸ’αž‡αžΆαž“αŸ…αž€αŸ’αž“αž»αž„ Powershell αžŠαžΌαž…αžαžΆαž„αž€αŸ’αžšαŸ„αž˜αŸ–

1

certutil -decode hello.txt:payload.bin payload.exe

αžšαž½αž…αžšαžΆαž›αŸ‹αž–αŸαž›αž“αŸαŸ‡αž™αžΎαž„αž’αžΆαž…αžαŸ’αžšαž›αž”αŸ‹αž―αž€αžŸαžΆαžšαž˜αŸαžšαŸ„αž‚αž“αŸ„αŸ‡αž“αž·αž„αž’αžΆαž…αžŠαŸ†αžŽαžΎαžšαž€αžΆαžšαžœαžΆαž”αžΆαž“αžŠαžΌαž…αž’αž˜αŸ’αž˜αžαžΆ αŸ•

PWN

αž›αŸ†αž’αž·αžαž’αŸ†αž–αžΈαŸ– ADS
αž―αž€αžŸαžΆαžšαž‘αžΆαž€αŸ‹αž‘αž„αŸ– Malwarebytes, Netwrix, Minitool

Share on
Thik
WRITTEN BY
thik
Security Researcher