How to Hide Data in NTFS Streams and Break Software Integrity – From the WikiLeaks CIA Vault Leaks

WikiLeaks leaked out a CIA operations manual. Documents posted, with promises of more.  Currently, I am working on them like many other security researchers/hackers/technologically curios. Due to the semi-partial leak status, missing any real exploits. I decided to fill in the operations manual with exploits and how-to articles.

One technique caught my eye, hiding data in NTFS data streams. The full instructions were missing. I have enjoyed using this technique for many years now.  Some people already know about it. Microsoft even posted a blog on it back in 2013. We’ll take it one step further in a how to with some hashing J Microsoft has had a tool out called SysInternals Streams.exe available for free download which can be used for this technique.

If an attacker wants to hide data in plain sight, this is one method which can be considered based on the situation. NTFS ADS is also referred to as Forking. Yes, it has been used maliciously in the past. I decided to update the original posting with full instructions. Then take it up a notch to show you how to break file integrity by using SHA256++ with NTFS ADS.

Update to the leak original CIA manual for Everyone 🙂

NTFS Alternate Data Streams (ADS)

Exfiltration, manipulation of software and file integrity, obfuscation

Alternate Data Streams on the Root of the Drive

Depending on the target and system configuration. An NTFS alternate data stream (ADS) should be considered a viable method to hide data and foil protection or alerting. Particularly cases where protection present relies heavily or is dependent on file hashing as a method to verify file integrity. Whether it’s for exfiltration, manipulation of integrity, obfuscation or general tradecraft. Great for bypassing many security controls and pivoting deeper into a target network.

There are several methods. One of the easiest is from the command prompt. Work in the root of a hard drive directory. This can also be accomplished remotely if you already have remote access to the victim.

Gain access to the victim local or remote

Using a victim D drive as an example, due to limited privileges. The attacker has a file of IP addresses, which are additional Command and Control domains related to both StoneDrill and NewsBeEF, in addition to Kaspersky’s list. As part of a targeted attack, the attacker needs to get this list onto a victim machine silently. The attack can also be done with PowerShell or a batch file. Renaming Batch files once they are on the system to bypass security controls is normally easy with limited access. If it’s an executable, you can also use this technique with PSExec.exe. Many anti-malware and other protection will catch PSExec, but not always.

ntfs 1

Sample contents of the evil file

Perform the NTFS ADS and hide the Evil file

Open a command prompt local or remote on the victim machine. The attacker, for ease of use. Has placed the text file of Command and Control servers in the root of D, naming it evilcncips.txt

Create the file you want to hide the evil file in. In this example, we will call this file: testfile.txt. Type at the root the following commands. The command first creates the innocent file. The second command hides the evil file behind the innocent looking file.

ECHO “This is a test file” >testfile.txt

ECHO “This is the evil text in the ADS file” >testfile.txt:evilcancips.txt

ntfs 2

Verify the NTFS ADS Stream worked

Check what the directory shows in the command prompt. It should look the same as before the NTFS ADS

ntfs 3

What the directory looks like in the GUI

ntfs 4

Although it is possible to display ADS NTFS streams/Forks easily in a command prompt. This is beyond the normal user level and most technical as well. The technique is still somewhat obscure as a method for attack or espionage.  The GUI portion of Windows will not readily show the NTFS ADS file.

At the command prompt, ensure the NTFS ADS stream worked. It will show a double line with the original file, then show the hidden file.

dir /r

ntfs 5

When practicing, also verify using Streams.exe. In this example, Streams.exe was installed.

Open a command prompt and charge the working directory to where Streams is located. Then execute Streams against the innocent looking file: testfile.txt

streams d:\testfile.txt

ntfs 6

Hashing to F*ck with File Integrity

To ensure you hid the evil file on the victim machine. Hash the innocent file prior to NTFS ADS, recording the hash. The default hashing level in PowerShell is Sha256. Because modern Windows based victim machines have PowerShell. No additional tools are required to hash. The attacker does not need to be an administrator to use the PowerShell to hash a file. PowerShell is not being run as an administrator in this example. Most users and enterprise administrators are still unfamiliar with PowerShell and leave functionality default configured in a manner an attacker could exploit.

At a PowerShell prompt, use the cmdlet Get-FileHash, then the -Path where the original file is located.

Get-FileHash -Path d:\testfile.txt

ntfs 7.png

After the NTFS ADS, hash the original file again where the evil file is hidden.

ntfs 8

The hash will show the same hash. 9BB114C0FE4F787EF64A43F310EA81F273FC87001503A141A125D9689AE8DFEF

If the victim uses the NTFS file system, which most modern Windows uses. Anyone can hide whatever evil file they wish into an innocent one in a root directory like the examples shown. The victim nor attacker can display the hidden file in the GUI. Defence is based on if the target protection mechanisms can recognize the evil file or behaviour. Rarely is dir /r used. The file can be hidden and hashed with MD5, SHA1, SHA256, etc… The evil file will look hidden. This technique can be easily recreated and practiced before using on a target.


The result, relying on hashes for file integrity does not mitigate this risk or attack technique completely. The Hash process in a way hides the data further by giving a false impression of limiting risk. Many security products rely on hashing for file integrity. It’s accepted best practice. Now everyone knows it can be manipulated under certain conditions. I wrote about it in 2012, but never shared with the public. I feared an evil government could misuse it. Even if a great, free hug for everyone government is in power, sitting on exploits. Can you trust the next person or party in power won’t be or turn evil?

ntfs 9

I guess I don’t need that password or to encrypt the paper anymore. Thanks CIA & WikiLeaks 🙂

Microsoft’s Search your privacy away

Because searching another user’s documents is a great idea!

Last week a friend sent me the link, said it was a gold mine. Yes it is 😊 The breach was announced on Radio 1 Netherlands on 27 March 2017 as limited to some CV’s or resumes. No, no, no my friend. It is wide open. Microsoft sounded as if they had already fixed part of the problem. It’s days later and I can say nope.

Using the search function for “SSN” which is an acronym of the USA tax payer identification Social Security Number.

Search using a browser that allows JavaScript:

Docs com search bar

Get filled out loan, school, medical, tax, and other related documents. Below is a sanitized example of a person’s filled out loan deferment request form.

docs com school deferment form

I currently live in the Netherlands, land of the free, home of the Orange. To discover documents in Dutch. We changed the search terms and the language. A search for “kanker” which is cancer in Dutch yielded financial tax documents.

docs com kanker search

Using the search term “schulden” which is debts in Dutch, on 3 April 2017 documents with personally identifiable information is still viewable.

docs com schulder debts form

Business yearly financial workbooks viewable and can edit fields on 3 April 2017. A quick snap of my virtual machine system clock

docs com editable excel financial dutch business

There are debt collector’s documents listing court fees. Hospital documents. When I was informed of the leak last week. I went looking for a Microsoft Bug Bounty for privacy based vulnerabilities or breaches. There aren’t any. There are bounties for most of their products on the application level. Explains a lot about Windows 10.  In the Netherlands, the Dutch Data Protection Agency fines companies for these types of violations.

A search for “NHS Cards” yields NHS numbers, scanned cards, NHS email accounts:

docs com NHS card scanned straight

Since internet search engines index when they can. You don’t even need to search in to find content in Use Google, Bing, DuckDuckGo, etc.

docs com searchable by indexing search engines

Please Microsoft, flash a big warning to users of the system “Before you save documents to Please remove any personally identifiable information and do not post the PII of others. Anything you post here can be seen by the world!” Also, seriously consider a privacy based bug bounty program. The EU GDPR comes into full effect soon and the fines are promising pain.


My Top Five Favourite IT Security Leaks from WikiLeaks #SaudiCables

And why emails containing confidential information should be encrypted

The Saudi Cables are a leak from the Saudi Arabian Ministry of Foreign Affairs (SMoFA). It’s a juicy leak, mostly in Arabic. It’s an excellent source for reconnaissance information and a great example of OSINT.

Number 5

A senior consultant from Microsoft emailed the deployment guide for Configuration Manager and Operations Manager to the Saudi Ministry of Foreign Affairs.  The document is from 2012, but it’s not likely the SMoFA has drastically changed their configuration. One of the requirements lists computer discovery should be less than one day. An attacker could use this information as a time limit when setting up a rogue device inside the network. Some of the vendors listed in the document are F5, Cisco, Juniper Firewalls, Tread Micro, Microsoft SQL and Active Directory.



Document download:


Number 4

In 2015 a sales and or consultant from McAfee/Intel Security emailed the SMoFA a list of customers in Saudi Arabia. The list shows many Saudi clients who use McAfee End Point Protection (EPO). It is the centrally managed anti-virus and security offering from McAfee/Intel. The sales person did not encrypt the email. It is a pain in the arse to change a central managed anti-virus or security manager. Expensive, time-consuming and highly likely the customer’s listed still use the product in 2017. I will also remind folks, it’s damn difficult to uninstall McAfee/Intel anti-virus. John McAfee the creator, and former owner made a video to help people try and uninstall the product:  An attacker can use what end point protection is installed on a victim machine to their advantage. There have been numerous exploits allowing compromise of EPO and other, similar products.  US-CERT issued an alert in 2013 about an exploit tool targeting EPO: The document also contains some useful email addresses.


URL with document:


Number 3

An undated internal asset scan of the SMoFA’s network. It lists host names, MAC addresses, system specifications, internal IP addresses operating systems and descriptions of the assets. Want to know information about their Domain Controllers, Proxies, WSUS update servers, Oracle app servers, Visa servers and so on? Very rich in internal asset information. Looking at the system specifications, it looks like from around 2013-2015. The leak displays gold such as VM Biometric Application and VM Embassy Finance site. The list is in Excel format, and it’s long.



Document download:

Number 2

An employee from the SMoFA emailed Phase 2 of a FireEye internal vulnerability assessment report to another SMoFA employee. The report is over 212 pages long and dated from late 2014. The report scope covers an internal network assessment against the servers and virtual machines focused on “exploitable vulnerabilities which could allow unauthorised access to systems and/or sensitive data.”  I think the word irony comes to mind since this document was leaked. In my experience, not everything is patched up or fixed after a penetration or vulnerability test is completed and presented. There are gems such as “With root access, consultants were able to compromise the password hashes in the shadow file.” & “Use an MS-SQL client to interact with the remote server.  Use the following credentials:     Account: admin     Password: admin”


URL and document:

Number 1 – Operation Cleaver Report

A follow up with a security investigation report, Incident ID: 0020-1114 attached. The 14-page report is about a compromise by the Iranians starting in 2014. The communication starts with requests to disable user accounts, reset passwords and other precautions using indicators of compromise information. Some of the user accounts listed are in other SMoFA IT related communications and appear to be the part of the IT security team of the SMoFA. A summary of the report:

An incident is reported on 19 November 2014 regarding a workstation making suspect HTTP requests. The workstation was critical, and an investigation was launched immediately. After forensics, the focus shifted to two administrative workstations and an SMoFA proxy server. One of the workstations has a process “netscp.exe” which was a Trojan “Gen.Variant.Kazy” calling to IP This IP is now registered to UK-Redstation. It’s listed in Robtex, but not Netcraft, Shodan or Wayback Machine. The process “netscp.exe” was not detected by their McAfee EPO end point anti-virus and security protection. The SMoFA report lists the Cylance Operation Cleaver report and IOCs confirming the incident.

Social engineering took place against a system administrator via his LinkedIn profile. It was a job offer on 14 July 2014. The email sent contained a link to a resume creation suit that submits resumes to a fake employer called Teledyne. The SMoFA administrator both gave away personal information by submitting his resume the action installed TinyZBot malware 21 July 2014. Access to the SMoFA network using anonymous FTP and SOAP (checkupdate.asmx) on 25 July 2014. VPN access using the compromised account was also granted on the same day. The malware was finally detected by their anti-virus with a signature update 2 December 2014.


Figure 1 Pastebin Cylance Operation Cleaver Iranian retaliation graphic

The SMoFA report contains steps they took to detect, contain, eradicate and lessons learned. Some of those lessons learned are which IP ranges are no longer allowed to access the proxy and an IP address blocked on the firewall. When the report was written, it noted they only stored logs for seven days; no SIEM, firewalls rules needed to be tuned and reviewed. Typical stuff that happens to an operational network which isn’t adequately being managed with a security focus.  The report also gives a packet snapshot. The report provides insight into how the SMoFA handles an incident.


Figure 2 Sample packet capture output from the SMoFA report

URL and document:

Pastebin to the Cylance report:


Social Engineering Tips

Cleaning crews and Keyloggers, oh my!


Capture The Flag competitions are very useful ways to rethink and find creative solutions to solve the challenge. The Social Engineering CTF caused me to think a few angles I hadn’t considered before. Top item of the flag list: Is IT Support handled in house or outsourced? All the way down to what technology the company is using. What’s contained in the photograph are potential attack vectors or key bits of information that could lead to exploitable opportunities. Take a gander J


Say Cyber one more time…

IT Security’s love hate relationship with the word Cyber

I attended DefCon 22 and as usual it was great! However, the word Cyber brewed controversy and passionate debates. One presentation by Keren Elazari thoroughly summarized the word’s roots and explained its essence. Others carried flasks embracing liquid alcohol yumminess upon the mere mention of the word.


I personally say it’s here as long as it’s used correctly but not too frequently. Do you hate the word? Have you played the Cyber drinking game? Or do you embrace it like a warm Snuggie?

DefCon 22 participant custom made T-shirt

How to suck at setting up an Information Security Awareness training program for your organization

In my 20+ years of working in IT Security I have seen great programs and completely non-existent programs. Most organizations I’ve worked for have yearly Ethics
Training but no end user/employee based IT Security training. Organizations understand damage to reputation and fines for ethics violations but are still ignorant to the real risk of damage to reputation or fines resulting from data breaches.  Ethics training is as important and can go hand in hand with a robust IT Security awareness program.

 1.       Starting an awareness program without full executive/management buy-in.

a.       New is change and change is
. If you have buy-in at a high level employees will have more confidence in the program.

b.      Added bonus: higher visibility with D$cision Makers!

2.       Start an Information Security Awareness training program just to check a box.

a.       If your organization doesn’t take it seriously, your employees won’t either.

3.       Start an Information Security Awareness training program with no budget.

a.       An Information Security Awareness training program is risk mitigation.

b.      Your CEO is averting or minimizing that horrible press release when your customer database is posted to PasteBin! This will make their lives easier.

c.       Post-it note IT Security awareness “posters” by the coffee machine might work for an office with a few people, maybe.

4.       Assume Information Technology or Information Security is solely responsible for data protection.

a.       Every employee is entrusted with valuable data, everyone in the organization should protect it.

5.       Inability for management or employees to understand the value of data they are entrusted with.

a.       That new research and development into nanotechnology whatever is worth money, at least as much your company has spent in R&D.

6.       Assume IT or IT Security personnel are trainers and can train employees.

a.       These are IT/IT Security professionals, not Professional

b.      If IT or IS must train employees, train the trainer must be funded for the program to be successful.

7.       Pay an outside consulting firm to start an awareness program without actual knowledge of your business.

a.        Knowing your business means you can observe how technology is utilized by business units.

8.       Internally start an awareness program without asking the business units.

a.       Same as #6. Get to know your business units higher risk targets, such as the personal assistants to a upper management or C level executives are also targets.

9.       Assume a logon splash screen: “Use this computer or network for business only!” constitutes a proper Information Security Awareness training program.

a.       How many people actually read those warnings on a regular basis? I log in before coffee so I know I don’t.

10.   Enforce usage guidelines without a complementary Information Security Awareness training program.

a.       You are being written up for X“, say HR. “But I didn’t even know X was wrong to do?!” says employee. Otherwise known as: don’t hit people with a big stick if they don’t know what they did wrong.

How to get on a USA Government Surveillance list

Use any advanced search techniques in Google and you’re a Cyber-Terrorist

A recent warning was posted to USA law enforcement listing advanced Google search techniques as indicators of Cyber-Terrorism is slightly chilling. Thanks to: Sadly, this is not the Onion
saw this story. The advanced techniques are old school ways of ensuing you return only the filtered data you want in a more accurate manner. Google Dorking, as it’s called in slang is a method of searching for a specific keyword in specific conditions. For example, if you want to search only the website for the keyword LolCats in Dorking terms is: + “LolCats”.

Sean Gallagher from ArsTechnica, commented he believed the notice is meant to be more of a wakeup call to make law enforcement IT more aware of the techniques. I slightly disagree and saw only FUD in the law enforcement notice. The same story commentary also mentions how using advanced Google searches has already landed some reporters in trouble and wrongfully accused of criminal activity due to massive technology misunderstandings. Using a search engine is not illegal, at least not yet.

My advice if you are a law enforcement agency IT, learn more about Open Source Intelligence and disregard FUD notices written by technologically challenged policy makers. Here are ten friendly tips to help find or protect your internet exposed assets:

  1. Keep all public facing digital assets updated and harden them. There is no reason why you should be running old, weak crud on the internet.
  2. Apache Security read if you are running an Apache web server.
  3. How to Improve Security on the Edge with Windows Web Server 2008 and Internet Information Services with Security Guidance of ISS Security if you are running Windows Server.
  4. Best option: Rent space on Amazon AWS or Microsoft Azure they have DDoS defenses and can get you an inexpensive, new server version up and running. This gets a web server off your network, cheaply, with defenses available and limits damage only to reputation no information leakage. Also, if hardware breaks, no interruption for the most part and they fix everything within tight time service level agreements.
  5. Scan your public servers and internal servers with Evil FOCA from Informatica64. Scan all your domains, download all documents, analyze and take a look at what you have up for the public to see and the baddies to exploit. Review your metadata exposure.
  6. Google Dorking is a good passive reconnaissance tool but if I wear my Ethical Hacker Hat I wouldn’t use it before committing a crime. I would move to non-tracking search engines such as also combined with untraceable connections and several hops away. Run regular searches using different search engines to learn your public exposure.
  7. Use ShodanHQ against your domain, IP range and keywords by using a filter. I love Shodan J Try a super advanced search word like: police. I’m disappointed but not surprised: Owen Sound Police Services – FirePro event data server and Wildwood Crest Police webmail server. Try and limit the amount of data available on your public facing assets. Please don’t advertise unless you are running a Honeypot so obviously!
  8. If budgets have your IT bogged down. Network and pool external resources and contractors. What if four departments could share 1 full time, traveling IT Security contractor?
  9. Cover over all Web enabled Cameras when not in use, especially in interrogation rooms!:

  1. Read the SANS Diary Internet Storm Center every day and listen to the Podcast.


Using Google Dorking or any other advanced internet searches are not illegal nor indicators of cyber terrorism. However, exposing private IT assets to the internet without proper hardening helps no one but criminals.

Python Adventures – 05

Following the free E-book Learning Python the Hard Way and getting down the basics of Python. In Exercise 1: A Good First Program
it’s how to write your very first Hello World! program.


Bring up Canopy in Ubuntu or Windows and start a new script.


# -*- coding: utf-8 -*-

print “Hello there world!”

print “Hello back to you!”

print “I like typing with you.”

print “Typing back is fun.”

print ‘Yay! Printing lines with Python.’

print ‘Um, I’m not touching “that!”‘

print ‘I thought you “liked” Pythons? “wink, wink, nudge nudge” ‘

print ‘The language Python and that dear Sir is definitely not a “Python”!’


If all goes well you should see a similar result:


My PowerShell acted a little funny and changed some characters:


However, with the assistance of a colleague with, a PowerShell Guru. I learned an important lesson. Characters might look the same but are not. For instance the < ” > I used versus what is on a website. I tried at first to type out the script but it didn’t work. I kept getting syntax errors. I copied from the exercise website, it worked in Canopy. I rewrote everything except the quote structure, it worked in Canopy. When I ran it in PowerShell, strange characters. As in real life, one sometimes must employ escape techniques around a Python. These are called escape characters so a “double quote is just a” .


The corrected Python:

# -*- coding: utf-8 -*-

print “Hello there world!”

print “Hello back to you!”

print “I like typing with you.”

print “Typing back is fun.”

print ‘Yay! Printing lines with Python.’

print “Um, I\’m not touching that!”

print “I thought you \”liked\” Pythons? \”wink, wink, nudge nudge\” ”

print ‘The language Python and that dear Sir is definitely not a \”Python\”!’


The corrected PowerShell output:


I had to jump ever so slightly beyond this exercise to Exercise 10: What Was That? To get a better handle on escape characters.


Off to the next exercise and adding in fun with data.







Python Adventures – 04

Getting a data set to play with!!!!!

The Data-Driven Security book uses free tools and sources. In Chapter 3 the fun begins by gathering some data. The authors begin with AlienVault’s open source reputation database. It’s updated hourly and I noticed sometimes not available on the hour possibly due to traffic load.

I used the following Python script, stored also on GitHub (to be linked) to get it the AlienVault data:

# -*- coding: utf-8 -*-

# Similar to Listing 3-1

import os

import sys

os.chdir(os.path.expanduser(“~”) + “/book/ch03”)


# Similar to Listing 3-3

# URL for the AlienVault IP Reputation Database (OSSIM format)

# storing the URL in a variable makes it easier to modify later

# if it changes. NOTE: I choose a direct URL because I don’t

# know any better J.


import urllib

import os.path


avURL = “;


# relative path for the downloaded data

avRep = “D:\Python\Data Driven Security/”


To update once a day, I scheduled a Windows task. This is only the start! My version of Windows can’t update more often via the GUI and I should be able to improve this so I can script what I need.

I scheduled the task to run a script daily at 39 minutes after a random hour.

# Similar to Listing 3-3

# URL for the AlienVault IP Reputation Database (OSSIM format)

# storing the URL in a variable makes it easier to modify later

# if it changes. NOTE: I choose a direct URL because I don’t

# know any better J.


import urllib

import os.path

avURL = “;


# relative path for the downloaded data

avRep = “D:\Python\Data Driven Security/”

#I’m sure there are much better ways of accomplishing this, comments warmly welcomed!


I am puzzled about the lack of HTTPS and/or a more secure method available to feed in trusted, verified reputation data both directly to a SIEM like OSSIM or via the website. I used a tool called EvilGrade way too much in the past (with permission) which makes me twitchy regarding insecure updates. An awesome write up on pivoting attacks with EvilGrade.


I’m certain there are better methods of scripting this. I made a basic variation from the DDS book. I want to improve on this script and comments and ideas are welcomed.







Python Adventures – 03

Sharing code and delving into Python & Pandas.

My GitHub repository (which I must reorganize prior to sharing a link) where I will endeavor to post a copy of all the code I create for my Python Adventures. I look forward to open reviews and improvements.


The Python & Pandas example based on Data-Driven Security Listing 2-2:

#Python & Pandas data frame example similar to Data-Driven Security Listing 2-2

# create a new data frame

import numpy as np

import pandas as pd


#create a new data frame of 5 IT and OT assets and vulnerability counts

assets_df = pd.DataFrame( {

“name” : [ “ControlRoom-PC001″,”PLC-002″,”RTU-003″,”DCS-004″,”FilePrint-SVR005” ],

“os” : [ “WinXP”,”Fatek”,”GE_D20MX”,”DLink_DCS-2000″,”W2K8″ ],

“highvulns” : [ 25,5,12,6,0 ]

} )


#review the data frame structure & content




#shows a sample or slice of the available operating systems input



#Addition of a new column with IP address information & new column

assets_df[‘ip’] = [ “”,”″,”″,

“”, “”]


#Display assets only with greater than 10 high vulnerabilities & new column



#Categorize assets in zones and add a new column

assets_df[‘zones’] = np.where(

assets_df.ip.str.startswith(“10.10.2”), “Zone1”, “Zone2”)


#final inspection of code input



If all goes well the output should look something like:

What is nice about Python with Pandas is the nice output layout. When I do the same thing in R, no table layout without work, more difficult to read through. This would be of greater importance when handling larger sets of data and limited knowledge of Python and R.

Why did I pick Operations Technologies (OT) and IT resources? OT is what runs much of our physical world nowadays, not shiny IT like new servers or laptops. IT controls our virtual selves, our data and not for example traffic lights, railway signaling, medical equipment or factories. For this reason, I will be presenting Confessions of an IT/OT Hacker at the European Industrial Control Systems Summit, London, UK Royal Aeronautical Society, 22 & 23 September, 2014. Everyone in IT and should familiarize themselves with the basics of Industrial Control Systems.