Hiding Data Using NTFS Alternate Data Streams (Defence Evasion)

In this video we'll be exploring how to attack, detect and defend against the abuse of NTFS alternate data streams. Originally designed for interoperability, this feature has been commandeered by attackers to hide data and malware in otherwise benign files.

If you find the video useful please do give it a like, and consider subscribing if you want more of this sort of content. Drop a note in the comments if there’s anything you think I missed, or if you have a good idea of what topic I should cover next.

Further reading/watching:
Mitre ATT&CK on NTFS Alternate Data Streams: https://attack.mitre.org/techniques/T...
NTFS documentation by Richard Russon and Yuval Fledel: http://dubeyko.com/development/FileSy...
Microsoft documentation about Zones: https://docs.microsoft.com/en-us/prev...)
Sean Pierce on “Sneaky Tips and Tricks with Alternate Data Streams”: https://www.sans.org/cyber-security-s...
Sysinternals Sysmon tool: https://docs.microsoft.com/en-us/sysi...

Audio Credits (licensed under CC0):
Intro/Outro Music by Flavio Concini (https://freesound.org/people/Greek555/)
Transition audio: "Ethereal Woosh" by Newagesoup (https://freesound.org/people/newagesoup/)

Timestamps:
0:00 Intro
2:16 Attack
3:46 Detect
5:25 Defend