Displaying streams as xattrs
Jeremy Allison
jra at samba.org
Tue May 23 22:34:11 UTC 2023
On Wed, May 24, 2023 at 07:44:36AM +1000, ronnie sahlberg wrote:
>On Wed, 24 May 2023 at 02:25, Jeremy Allison <jra at samba.org> wrote:
>>
>> On Tue, May 23, 2023 at 10:59:27AM +1000, ronnie sahlberg wrote:
>>
>> >There are really nice use-cases for ADS where one can store additional
>> >metadata within the "file" itself.
>>
>> "Nice" for virus writers, yeah. A complete swamp for everyone
>> else :-).
>
>Viruses? I don't think they use ADS much since most tools under
>windows understand ADS.
https://insights.sei.cmu.edu/blog/using-alternate-data-streams-in-the-collection-and-exfiltration-of-data/
"Malware that takes advantage of ADSs is not new. MITRE lists over a
dozen named malware examples that use ADSs to hide artifacts and evade
detection. Attack tools, such as Astaroth, Bitpaymer, and PowerDuke,
have been extensively detailed by various parties, providing insight
into how these threats take advantage of ADS evasion on a host system.
Authors, such as Berghel and Brajkovska, downplay the risks of ADSs. Our
opinion, however, is that ADSs introduced the host of concealment and
obfuscation techniques outlined above, but little has been done to
mitigate these worries since their publication in 2004."
As I also recall the published US "hacking toolset" also used
an ADS on the root directory of a share to exfiltrate data
from the target.
ADS - "Just Say No !"
:-).
More information about the samba-technical
mailing list