Alternate Data Streams (ADS) are a feature NTFS has carried since the 90s and almost no one knows about. You can attach a second (or third, or twentieth) stream of data to any file, and that data is invisible to Windows Explorer, most file copy tools, and most users. For a red team, that’s interesting. For a blue team, it’s a class of evasion technique that’s usually not on the checklist.
What are alternate data streams?#
ADS are a feature of NTFS that lets you attach data to a file without changing the file’s primary stream. Originally, this existed for Macintosh HFS interop — Windows servers acting as Mac file shares needed somewhere to put HFS resource forks. The interop use is mostly historical now, but the feature stayed.
How to hide data using alternate data streams#
The simplest way to create an alternate data stream is to use the built-in
type command, redirecting content into an alternate stream of an existing
file using the : delimiter syntax.
For example, to hide a password in a file called “example.txt,” use the following command:
type password.txt >> example.txt:hidden.txtThis writes the contents of “password.txt” into the alternate data stream named “hidden.txt” attached to “example.txt,” without modifying the visible content of “example.txt.”
Alternate data streams can also be used to hide data in non-text files, such as images or executables. This technique is limited to NTFS volumes and is not supported on FAT32 or exFAT file systems.
Detecting alternate data streams#
ADS don’t show up in Windows Explorer or in most file managers. They do show up to a few specific tools.
One way to detect alternate data streams is to use the command line utility,
dir, with the /r flag. This will display any alternate data streams that are
associated with a file. For example, to display the alternate data streams
related to a file called “example.txt,” use the following
command:
dir /r example.txtAnother tool for detecting alternate data streams is streams.exe
. This is a command-line utility from Microsoft’s Sysinternals suite that can help identify and remove alternate data streams. Use the streams.exe command to display the alternate data streams associated with a file and then use other tools to
extract or analyze the data.
Implications of using alternate data streams to hide data#
Two things worth knowing before using ADS in an engagement:
First, the obvious: hiding data on a system you don’t own is governed by whatever computer-misuse laws apply in the relevant jurisdiction. Get authorization in writing.
Second, this is shallow stealth. Modern AV and EDR products check for ADS as
a matter of course, and a defender running dir /r over interesting paths
will see what you put there. Treat ADS as obscurity, not concealment —
useful for slowing down a casual look, not for hiding from a security team
that knows what they’re doing.
Conclusion#
ADS is the kind of technique that gets covered in introductory red-team
material because it’s interesting and easy to demonstrate. In practice,
you’ll use it less often than you might expect — modern endpoint tooling
enumerates streams, the dir /r flag is one keystroke away, and any
defender doing forensics will look for them. It’s worth knowing because
you’ll see it on engagements (especially older or unmanaged Windows hosts)
and because it’s a useful test of how thoroughly a blue team scopes their
searches.
