Skip to content

Alternate Data Streams (ADS)

Alternate Data Streams (ADS) is an NTFS file attribute and was designed to provide compatibility with the MacOS HFS (Hierarchical File System)

Any file created on an NTFS formatted drive will have two different forks/streams: - Data stream: default stream that contains the data of the file. - Resource stream: typically contains the metadata of the file.

Attackers can use ADS to hide malicious code or executable in legitimate files in order to evade detection. This can be done by storing in the malicious code in the file attribute resource stream (metadata) of a legitimate file.

  1. Create a hidden file with Notepad, this will be stored in the resource stream of the first file:
notepad test.txt:secret.txt
  1. Hide an executable in the resource stream of a text file:
# Hide winPEAS into a legitimate text file
type winpeas.exe > windowslog.txt:winpeas.exe

# Add some random data to the created text file
notepad windowslog.txt

# Create a symbolic link
cd Windows\System32
mklink wupdate.exe C:\Temp\windowslog.txt:winpeas.exe

# Execute the hidden executable through the symbolic link
wupdate