Alternate Data Stream Attack Framework to Perform Stealth Attacks on Active Directory Hosts

Abstract

Microsoft’s file system, NTFS, is the most utilised file system by Windows OS versions XP, Vista, 7, and 10. These systems have a little-known file attribute feature known as alternate data streams (ADS) which allows each file in the NTFS file system to have multiple data streams. ADS cannot be removed from the NTFS operating systems. However, the presence of ADS is not inevitably an issue in the OS or file system. Valid instances can be found on systems if scanned and might be valid. Windows OS does not have any in-built tools or applications to determine and remove the presence of existing ADS. This research presents ADSA or alternate data stream attack framework to exploit the alternate data streams and perform cyberattacks on Microsoft operating systems. This research discusses the process of creating and searching alternate data streams with a standard file and an executable binary. The authors executed ADS-hidden executable binary in the ADS. The authors present methods to detect and perform a clean-up by deleting the alternate data stream.