Threat Hunters Corner: Alternate Data Streams and Extended Attributes

Welcome 

Welcome back to the Threat Hunters Corner! I’m Josh Shepard, Principal Threat Hunter at Radical, and in this episode, we’ll be explaining what Alternate Data Streams and Extended Attributes are, why threat actors like them, and some things to look for that could indicate abuse.

RADBot Generated Text Summary

Introduction 

Hey everyone, Josh Shepard here, Principal Threat Hunter at Radical. Welcome to another edition of the Threat Hunters Corner. This week, we delve into a sophisticated defense evasion technique that allows threat actors to hide data within seemingly benign files. This technique varies slightly depending on the operating system in use. 

Alternate Data Streams in Windows 

On Windows, this technique leverages a feature known as Alternate Data Streams (ADS). ADS is an NTFS feature that allows additional data to be stored within a file without altering its primary data stream. For instance, consider a file named good.txt. The primary data stream contains the text within good.txt, but Windows permits the storage of additional data in this file, known as an alternate data stream. 

Legitimate Uses of ADS 

One common legitimate use of ADS in Windows is the "Mark of the Web" (MOTW). MOTW is metadata indicating the origin of an internet-born file, stored in an alternate data stream. Typically, alternate data streams are represented by the primary file name followed by a colon and the name of the additional data stream (e.g., good.txt:evil.txt). 

Threat Actor Exploitation 

Threat actors exploit ADS because it allows them to hide data from plain sight. Standard directory listings and Windows Explorer do not display alternate data streams. To view them, one must use specific commands like dir /R in the command prompt. Furthermore, ADS does not change the hash value of the primary file. This means that good.txt and good.txt:evil.txt will have the same hash value, making it difficult for hash-based detection systems to identify malicious alterations. 

Extended Attributes in macOS 

macOS has a similar concept called Extended Attributes (xattr). Extended attributes are metadata attached to a file. They can be viewed and set using the xattr utility in macOS. Like ADS, extended attributes are often used for legitimate purposes, such as the network quarantine attribute that macOS adds to files from untrusted internet sources. 

Threat Actor Exploitation 

Extended attributes, like ADS, do not alter the hash value of the file, providing a stealthy method for threat actors to embed additional data without triggering hash-based detections. 

Detection Strategies 

Windows 

To detect the use of ADS in Windows, consider the following strategies: 

1. Monitor Unusual Commands: Look for commands that access or view alternate data streams, such as dir /R in the command prompt or Get-Content –Stream/Set-Content -Stream in PowerShell. 

1. Regex Analytics: Develop regex-based analytics to identify file names with a colon followed by additional data (e.g., file.txt:evil.txt). 

macOS 

For macOS, focus on the xattr utility: 

1. Monitor xattr Usage: Track the use of the xattr utility to set or view extended attributes. 

1. Filter Known Benign Positives: Filter out known benign uses of extended attributes, such as the network quarantine attribute. 

Conclusion 

Both alternate data streams in Windows and extended attributes in macOS are powerful tools for threat actors to evade detection. By understanding these techniques and implementing robust detection strategies, you can enhance your threat hunting capabilities. 

If you have any questions about alternate data streams or extended attributes, feel free to reach out. I'm always happy to have a conversation. Stay safe out there, and see you in the next episode of the Threat Hunters Corner.