Alternate Data Streams (ADS)

In a NTFS file system, files can have multiple streams with extra data

Normally, the content of a file is stored in the $Data stream of a file. But you can create alternate streams on the same file with different content. This can be useful for hiding some data and might be used by malware to make its payloads less obvious. However, if you know what you're looking for these can be very easily found.

PowerShell

The easiest way to find files with alternate data streams is to run a PowerShell command like the following, which will recursively search the current directory for any streams that are not $Data.

PS F:\> gci -recurse | % { gi $_.FullName -stream * } | where stream -ne ':$Data'
PSPath        : Microsoft.PowerShell.Core\FileSystem::F:\C\Windows\Tasks\ActiveSyncProvider.dll:hidden.ps1
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::F:\C\Windows\Tasks
PSChildName   : ActiveSyncProvider.dll:hidden.ps1
PSDrive       : F
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : F:\C\Windows\Tasks\ActiveSyncProvider.dll
Stream        : hidden.ps1
Length        : 175838

If you find any interesting names, you can extract their content with another PowerShell command:

Get-Item <FILE> | Get-Content -Stream <STREAM_NAME>
# For example
Get-Item .\ActiveSyncProvider.dll | Get-Content -Stream hidden.ps1

If you want to set the content of ADS, you can do so using the Set-Content command:

Set-Content -Path <FILE> -Stream <STREAM_NAME> -Value <CONTENT>
# For example
Set-Content -Path .\ActiveSyncProvider.dll -Stream hidden.ps1 -Value '...'

Legitimate uses

There is a reason this feature exists, and you may find streams that are not meant to be hidden for malware or secrets. Here are a few real-world uses that you might come across.

Zone.Identifier

This is the most common ADS which comes from downloading files. You might have experienced those warnings that Windows Defender gives when you try to run a program you just downloaded from the internet. Windows Defender knows this because every downloaded file will include this Zone.Identifier stream which tells it where the file comes from. There are 5 different zones with varying levels of trust:

Local Intranet Zone
Trusted Sites Zone
Internet Zone
Restricted Sites Zone
Local Machine Zone

The most common is 3. Internet Zone for files downloaded from the internet. The content of this stream might look like this:

[ZoneTransfer]
ZoneId=3

PreviousMetasploit NextKubernetes

Last updated 2 months ago