Greetings everyone! In today’s update, I will show you how you can utilize Diabolic Drive’s flash storage to deliver your payload or exfiltrate data from a client’s target system using Alternate Data Streams (ADS).

You might think of this update as an example of a "field report" that highlights how Diabolic Drive can be modified to suit a specific red-team engagement. I invite you to submit your own field report as well! (And remember, I’ll be right here to help you however I can!)

What are Alternate Data Streams?

ADS are a sequence of bytes that contains data about a file, such as keywords or the identity of the user who created the file. Think of a data stream as a file within a file — a hidden file residing within a legitimate one. In other words, they are a file attribute and they are only found on the NTFS file system. In this system, a file is built up from a couple of attributes, one of which is $Data, aka the data attribute. Looking at the regular data stream of a text file, there is no mystery. It simply contains the text inside the text file. But that is only the primary or default data stream, which is always unnamed, and any data stream that has a name is considered alternate. This feature was introduced to provide compatibility with files in the Macintosh file system. Once a file has alternate data streams, they are invisible to Windows Explorer, text searches, and most of Windows’ other routine file functions, as well as, of course, your target’s eyes! Right below, you will find a quick and easy-to-follow YouTube tutorial I made to explain how to utilize this feature with your Diabolic Drive flash storage.

Things to Note

The flash storage of all the already shipped Diabolic Drives is formatted with the default file system, which is exFAT, so you will have to reformat it with NTFS for this feature to work. Just right-click on your Diabolic Drive’s flash storage, click format, choose the NTFS file system, and then hit Start! Then, you are ready to go.

Advantages

1. Your Diabolic Drive flash storage will look normal, revealing nothing suspicious if your target interacts with it. Only legitimate files will appear, and their corresponding ADS files will not be visible.
2. This feature works with almost any file extension, meaning: you can combine your payloads with legitimate PDFs and JPGs without compromising your audit.
3. Your payloads are available locally, in Diabolic Drive's onboard flash storage, and can be accessed from any target Windows machine. This can be essential if you are evaluating the security of an air-gapped system or a heavily monitored network environment.

Disadvantages

1. ADS is a relatively old feature. (But that doesn't mean it's ineffective!) If your engagement is targeting a highly secure system or a heavily monitored network, you'll just need to mix in some evasion techniques. Alternatively, you can limit your use of this feature to the exfiltration of reconnaissance data and other findings that might help you learn more about the environment you're auditing.
2. This method is not immune to proper forensic analysis, so keep that in mind, where relevant. If the parameters of your engagement require that you remain inconspicuous, you'll still want to obfuscate and encrypt your code, scrub logs, etc.
3. This method is not cross-platform and will only work if you are targeting Windows systems.

Final Words

I’m looking forward to hearing from you all, including your thoughts, opinions, and creative applications. So, if you’re using and/or improving Diabolic Drive, please consider submitting a field report to Crowd Supply!