Skip to content

ADS-Tracer

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

ADS-Tracer

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
Assets
Assets
 
 
__pycache__
__pycache__
 
 
ADSTracer.py
ADSTracer.py
 
 
README.md
README.md
 
 
pyads.py
pyads.py
 
 

README.md

Alternate Data Streams Tracer - ADSTracer - Project KillChain

A python script to automate hunting of ADS (Alternate Data Streams) which can include some hidden/confidential information.

Idea: The development idea for this tiny tool came from testing the DLP (Data Loss Prevention) controls and trying to exfiltrate the data using Alternate Data Streams in Windows Environment.

Understanding Alternate Data Streams

Made with ❤️ by Kamran Saifullah + Shrefa Ashour

PKC Language

Overview

The purpose of this script is to identofy the Alternate Data Streams from the files which have been flagged for the investigation. It is a really good rechnique which can be used by Insider Threats or Threat Actors to deliver their tools from the arsenal and to exfiltrate the sensitive information out of the network.

By simply looking onto the files no information is provided. Thus, a step ahead is taken to look into the number of streams available within the file which is to be investigated. It can be done manually for a number of files but not easy when there are huge number of files.

Thus, we created this script to automate the process of hunting low hanging fruits and then taking forward the investigation.

The script does the following:

  • Single File Scan
    • Checks for all Alternate Data Streams
    • Outputs the data observed in Alternate Data Streams
  • Directory Scan
    • Checks for all Alternate Data Streams for each file available in the provided directory.
    • Outputs the data observed in Alternate Data Streams for each file.
  • Output Directory
    • All the extracted data will be added to the Output Directory under the stream name observed.

Instructions for using the tool

Installing Dependencies

In order for the script to work properly, there are few dependencies which are required to be installed. Do it with the following from within the folder or as you like.

pip install -r requirements.txt

or you can install the dependecies one by one.

pip install colorama

Finally, the main module on which ADSTracer is relying on. Great work done by the guys behind creating a full fledge module.

https://github.com/RobinDavid/pyADS/tree/master

Ensure to keep the pyads.py in the same directory.

Begin The Hunt

Execute the ADSTracer.py by doing simply as python3 ADSTracer.py.

The scripts supports 3 parameters.

  1. For help ADSTracer.py -h.
  2. For single file ADSTracer.py -f.
  3. For directory ADSTracer.py -d.

Help Section

Single File Scan - In Action

Directory Scan - In Action

Feedback & Issues

Please, submit any feedback or issues to our GitHub: https://github.com/CyDefOps/project-killchain

Many Thanks

Shrefa Ashour + Kamran Saifullah

Updates Coming...

  • Extracting Embedded Files/Streams.
    • 22nd Dec 2023
  • Want anything else to be added? Reach out to us.

Contributions

Project Killchain values and appreciates contributions from the cybersecurity community. Feel free to contribute code, share new tools, update our knowledge base, or expand the IOC database.

Please review the contributing guidelines before making any contributions.

https://github.com/CyDefOps/project-killchain#contributions