You can get pretty creative with whatever. However, it has recently popped up a lot in the classes I’ve been taking, and it’s still a great technique to use to bypass some detection, and if you’re creative… there are a TONS of fun things you can utilize ADS for! Attack vectors CAB and you can then explore the contents using Windows Explorer or extract it with extrac32.exe (C:WindowsSystem32). I initially learned this a few years ago but didn’t utilize it and just kind of forgot about it. What this does it that it mark where the file came from (for example, trusted internal, from the internet…etc).Īs I’m studying for my cert soon, this topic came up and it reminded me of all the fun stuffs you can do. extrac32.exe /Y /E portable.cab (PID: 4024). Starting with Windows 7+, the concept of Zone.Identifier stream was introduced. Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1. Without going too much into the forensics behind NTFS file system, every file have at least one stream know as $DATA. Same with fav icons in Internet Shortcut files, or thumbnails, etc… If you remember back to those Windows Media days, when you play a song, and you used to see the song title, author’s data, year…etc. It’s usually accessible via the colon mark. In NTFS, Alternate Data Stream is essentially a file, information behind another file or folder.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |