🚩
Practical CTF
BlogContact
  • 🚩Home - Practical CTF
  • 🌐Web
    • Enumeration
      • Finding Hosts & Domains
      • Masscan
      • Nmap
      • OSINT
    • Client-Side
      • Cross-Site Scripting (XSS)
        • HTML Injection
        • Content-Security-Policy (CSP)
      • CSS Injection
      • Cross-Site Request Forgery (CSRF)
      • XS-Leaks
      • Window Popup Tricks
      • CRLF / Header Injection
      • WebSockets
      • Caching
    • Server-Side
      • SQL Injection
      • NoSQL Injection
      • GraphQL
      • XML External Entities (XXE)
      • HTTP Request Smuggling
      • Local File Disclosure
      • Arbitrary File Write
      • Reverse Proxies
    • Frameworks
      • Flask
      • Ruby on Rails
      • NodeJS
      • Bun
      • WordPress
      • Angular
    • Chrome Remote DevTools
    • ImageMagick
  • 🔣Cryptography
    • Encodings
    • Ciphers
    • Custom Ciphers
      • Z3 Solver
    • XOR
    • Asymmetric Encryption
      • RSA
      • Diffie-Hellman
      • PGP / GPG
    • AES
    • Hashing
      • Cracking Hashes
      • Cracking Signatures
    • Pseudo-Random Number Generators (PRNG)
    • Timing Attacks
    • Blockchain
      • Smart Contracts
      • Bitcoin addresses
  • 🔎Forensics
    • Wireshark
    • File Formats
    • Archives
    • Memory Dumps (Volatility)
    • VBA Macros
    • Grep
    • Git
    • File Recovery
  • ⚙️Reverse Engineering
    • Ghidra
    • Angr Solver
    • Reversing C# - .NET / Unity
    • PowerShell
  • 📟Binary Exploitation
    • ir0nstone's Binary Exploitation Notes
    • Reverse Engineering for Pwn
    • PwnTools
    • ret2win
    • ret2libc
    • Shellcode
    • Stack Canaries
    • Return-Oriented Programming (ROP)
      • SigReturn-Oriented Programming (SROP)
      • ret2dlresolve
    • Sandboxes (chroot, seccomp & namespaces)
    • Race Conditions
  • 📲Mobile
    • Setup
    • Reversing APKs
    • Patching APKs
    • HTTP(S) Proxy for Android
    • Android Backup
    • Compiling C for Android
    • iOS
  • 🌎Languages
    • PHP
    • Python
    • JavaScript
      • Prototype Pollution
      • postMessage Exploitation
    • Java
    • C#
    • Assembly
    • Markdown
    • LaTeX
    • JSON
    • YAML
    • CodeQL
    • NASL (Nessus Plugins)
    • Regular Expressions (RegEx)
  • 🤖Networking
    • Modbus - TCP/502
    • Redis/Valkey - TCP/6379
  • 🐧Linux
    • Shells
    • Bash
    • Linux Privilege Escalation
      • Enumeration
      • Networking
      • Command Triggers
      • Command Exploitation
      • Outdated Versions
      • Network File Sharing (NFS)
      • Docker
      • Filesystem Permissions
    • Analyzing Processes
  • 🪟Windows
    • The Hacker Recipes - AD
    • Scanning/Spraying
    • Exploitation
    • Local Enumeration
    • Local Privilege Escalation
    • Windows Authentication
      • Kerberos
      • NTLM
    • Lateral Movement
    • Active Directory Privilege Escalation
    • Persistence
    • Antivirus Evasion
    • Metasploit
    • Alternate Data Streams (ADS)
  • ☁️Cloud
    • Kubernetes
    • Microsoft Azure
  • ❔Other
    • Business Logic Errors
    • Password Managers
    • ANSI Escape Codes
    • WSL Tips
Powered by GitBook
On this page
  • PowerShell
  • Legitimate uses
  • Zone.Identifier
  1. Windows

Alternate Data Streams (ADS)

In a NTFS file system, files can have multiple streams with extra data

Normally, the content of a file is stored in the $Data stream of a file. But you can create alternate streams on the same file with different content. This can be useful for hiding some data and might be used by malware to make its payloads less obvious. However, if you know what you're looking for these can be very easily found.

PowerShell

The easiest way to find files with alternate data streams is to run a PowerShell command like the following, which will recursively search the current directory for any streams that are not $Data.

PS F:\> gci -recurse | % { gi $_.FullName -stream * } | where stream -ne ':$Data'
PSPath        : Microsoft.PowerShell.Core\FileSystem::F:\C\Windows\Tasks\ActiveSyncProvider.dll:hidden.ps1
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::F:\C\Windows\Tasks
PSChildName   : ActiveSyncProvider.dll:hidden.ps1
PSDrive       : F
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : F:\C\Windows\Tasks\ActiveSyncProvider.dll
Stream        : hidden.ps1
Length        : 175838

If you find any interesting names, you can extract their content with another PowerShell command:

Get-Item <FILE> | Get-Content -Stream <STREAM_NAME>
# For example
Get-Item .\ActiveSyncProvider.dll | Get-Content -Stream hidden.ps1

If you want to set the content of ADS, you can do so using the Set-Content command:

Set-Content -Path <FILE> -Stream <STREAM_NAME> -Value <CONTENT>
# For example
Set-Content -Path .\ActiveSyncProvider.dll -Stream hidden.ps1 -Value '...'

Legitimate uses

There is a reason this feature exists, and you may find streams that are not meant to be hidden for malware or secrets. Here are a few real-world uses that you might come across.

Zone.Identifier

This is the most common ADS which comes from downloading files. You might have experienced those warnings that Windows Defender gives when you try to run a program you just downloaded from the internet. Windows Defender knows this because every downloaded file will include this Zone.Identifier stream which tells it where the file comes from. There are 5 different zones with varying levels of trust:

  1. Local Intranet Zone

  2. Trusted Sites Zone

  3. Internet Zone

  4. Restricted Sites Zone

  5. Local Machine Zone

The most common is 3. Internet Zone for files downloaded from the internet. The content of this stream might look like this:

[ZoneTransfer]
ZoneId=3
PreviousMetasploitNextKubernetes

Last updated 1 year ago

🪟