Skip to content

Commit

Permalink
Initial upload
Browse files Browse the repository at this point in the history
  • Loading branch information
nterl0k authored Nov 10, 2023
1 parent b663b5e commit a34676f
Show file tree
Hide file tree
Showing 3 changed files with 52 additions and 0 deletions.
16 changes: 16 additions & 0 deletions datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
author: Steven Dick
id: e18714c0-ab84-44f6-9117-5531e3eb3a0c
date: '2023-10-30'
description: 'Detection of common behaviors used to abouse NTFS alternate datastreams.'
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse_sysmon.log
sourcetypes:
- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
- WinEventLog:Security
references:
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
- https://car.mitre.org/analytics/CAR-2020-08-001/
- https://blogs.juniper.net/en-us/threat-research/bitpaymer-ransomware-hides-behind-windows-alternate-data-streams
- https://blog.netwrix.com/2022/12/16/alternate_data_stream/
- https://twitter.com/0xrawsec/status/1002478725605273600?s=21
Git LFS file not shown
33 changes: 33 additions & 0 deletions datasets/attack_techniques/T1564.004/ads_abuse/test_ads_abuse.ps1
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
#A simple script to test multiple abuse avenues for NTFS alternate data streams.

#Set working location
$DesktopPath = [Environment]::GetFolderPath("Desktop")
Set-Location $DesktopPath

#Delete old test item/create new
$FileName = "test_ads_abuse.txt"
If(Test-Path "$DesktopPath\$FileName"){Remove-Item "$DesktopPath\$FileName"}
$NewFile = New-Item -Path $DesktopPath -Name $FileName

#Set Regular data to text file.
Set-Content $NewFIle -Value "Not empty"

#Write an executable to ADS (calc.exe)
Get-Content C:\Windows\System32\calc.exe -Encoding Byte | Set-Content -Encoding Byte -Stream "Not_Malware.exe" $FileName

# write some encoded powershell to ADS (pop "hello world" message box)
$Text = {Add-Type -AssemblyName PresentationCore,PresentationFramework ; $msgBody = "Hello World" ; $msgTitle = "Hello World" ; $msgButton = 'OK' ; $msgImage = 'Warning' ; $Result = [System.Windows.MessageBox]::Show($msgBody,$msgTitle,$msgButton,$msgImage)}.ToString()
$EncodedText = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($Text))
$EncodedText | Set-Content -Stream "Not_Malware_Code" $FileName

#Open Text File
Try{iex ".\$FileName"}Catch{}

#Open "malware" (Calc.exe)
Try{iex ".\$($FileName):not_malware.exe"}Catch{}

#Execute B64 code from data stream
Try{iex 'powershell.exe -enc $(Get-Content ".\$($FileName)" -Stream "not_malware_code")'}Catch{}

#Open malware (calc.exe) #2
Try{iex 'powershell.exe -command "& {Set-Location $DesktopPath ; .\$($FileName):not_malware.exe}"'}Catch{}

0 comments on commit a34676f

Please sign in to comment.