How to Hide Data in NTFS Streams and Break Software Integrity – From the WikiLeaks CIA Vault Leaks

WikiLeaks leaked out a CIA operations manual. Documents posted, with promises of more.  Currently, I am working on them like many other security researchers/hackers/technologically curios. Due to the semi-partial leak status, missing any real exploits. I decided to fill in the operations manual with exploits and how-to articles.

One technique caught my eye, hiding data in NTFS data streams. The full instructions were missing. I have enjoyed using this technique for many years now.  Some people already know about it. Microsoft even posted a blog on it back in 2013. We’ll take it one step further in a how to with some hashing J Microsoft has had a tool out called SysInternals Streams.exe available for free download which can be used for this technique.

If an attacker wants to hide data in plain sight, this is one method which can be considered based on the situation. NTFS ADS is also referred to as Forking. Yes, it has been used maliciously in the past. I decided to update the original posting with full instructions. Then take it up a notch to show you how to break file integrity by using SHA256++ with NTFS ADS.

Update to the leak original CIA manual for Everyone 🙂

NTFS Alternate Data Streams (ADS)

Exfiltration, manipulation of software and file integrity, obfuscation

Alternate Data Streams on the Root of the Drive

Depending on the target and system configuration. An NTFS alternate data stream (ADS) should be considered a viable method to hide data and foil protection or alerting. Particularly cases where protection present relies heavily or is dependent on file hashing as a method to verify file integrity. Whether it’s for exfiltration, manipulation of integrity, obfuscation or general tradecraft. Great for bypassing many security controls and pivoting deeper into a target network.

There are several methods. One of the easiest is from the command prompt. Work in the root of a hard drive directory. This can also be accomplished remotely if you already have remote access to the victim.

Gain access to the victim local or remote

Using a victim D drive as an example, due to limited privileges. The attacker has a file of IP addresses, which are additional Command and Control domains related to both StoneDrill and NewsBeEF, in addition to Kaspersky’s list. As part of a targeted attack, the attacker needs to get this list onto a victim machine silently. The attack can also be done with PowerShell or a batch file. Renaming Batch files once they are on the system to bypass security controls is normally easy with limited access. If it’s an executable, you can also use this technique with PSExec.exe. Many anti-malware and other protection will catch PSExec, but not always.

ntfs 1

Sample contents of the evil file

Perform the NTFS ADS and hide the Evil file

Open a command prompt local or remote on the victim machine. The attacker, for ease of use. Has placed the text file of Command and Control servers in the root of D, naming it evilcncips.txt

Create the file you want to hide the evil file in. In this example, we will call this file: testfile.txt. Type at the root the following commands. The command first creates the innocent file. The second command hides the evil file behind the innocent looking file.

ECHO “This is a test file” >testfile.txt

ECHO “This is the evil text in the ADS file” >testfile.txt:evilcancips.txt

ntfs 2

Verify the NTFS ADS Stream worked

Check what the directory shows in the command prompt. It should look the same as before the NTFS ADS

ntfs 3

What the directory looks like in the GUI

ntfs 4

Although it is possible to display ADS NTFS streams/Forks easily in a command prompt. This is beyond the normal user level and most technical as well. The technique is still somewhat obscure as a method for attack or espionage.  The GUI portion of Windows will not readily show the NTFS ADS file.

At the command prompt, ensure the NTFS ADS stream worked. It will show a double line with the original file, then show the hidden file.

dir /r

ntfs 5

When practicing, also verify using Streams.exe. In this example, Streams.exe was installed.

Open a command prompt and charge the working directory to where Streams is located. Then execute Streams against the innocent looking file: testfile.txt

streams d:\testfile.txt

ntfs 6

Hashing to F*ck with File Integrity

To ensure you hid the evil file on the victim machine. Hash the innocent file prior to NTFS ADS, recording the hash. The default hashing level in PowerShell is Sha256. Because modern Windows based victim machines have PowerShell. No additional tools are required to hash. The attacker does not need to be an administrator to use the PowerShell to hash a file. PowerShell is not being run as an administrator in this example. Most users and enterprise administrators are still unfamiliar with PowerShell and leave functionality default configured in a manner an attacker could exploit.

At a PowerShell prompt, use the cmdlet Get-FileHash, then the -Path where the original file is located.

Get-FileHash -Path d:\testfile.txt

ntfs 7.png

After the NTFS ADS, hash the original file again where the evil file is hidden.

ntfs 8

The hash will show the same hash. 9BB114C0FE4F787EF64A43F310EA81F273FC87001503A141A125D9689AE8DFEF

If the victim uses the NTFS file system, which most modern Windows uses. Anyone can hide whatever evil file they wish into an innocent one in a root directory like the examples shown. The victim nor attacker can display the hidden file in the GUI. Defence is based on if the target protection mechanisms can recognize the evil file or behaviour. Rarely is dir /r used. The file can be hidden and hashed with MD5, SHA1, SHA256, etc… The evil file will look hidden. This technique can be easily recreated and practiced before using on a target.


The result, relying on hashes for file integrity does not mitigate this risk or attack technique completely. The Hash process in a way hides the data further by giving a false impression of limiting risk. Many security products rely on hashing for file integrity. It’s accepted best practice. Now everyone knows it can be manipulated under certain conditions. I wrote about it in 2012, but never shared with the public. I feared an evil government could misuse it. Even if a great, free hug for everyone government is in power, sitting on exploits. Can you trust the next person or party in power won’t be or turn evil?

ntfs 9

I guess I don’t need that password or to encrypt the paper anymore. Thanks CIA & WikiLeaks 🙂

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: