logo
Back to home

Exploring Alternate Data Streams (ADS) in NTFS

O

Ohidur Rahman Bappy

MAR 22, 2025

Introduction to Alternate Data Streams (ADS)

Alternate Data Streams (ADS) are a lesser-known feature of the NTFS file system, integral to both files and directories on a Windows NTFS volume. An NTFS file comprises a primary attribute, $Data, which stores the file's actual content. While the default $Data stream holds the primary content, additional named streams, known as ADS, can be added.

A Brief History of NTFS Streams

Initially, older file systems like FAT16 and FAT32 did not support multi-stream features. Support for multiple streams was introduced in NTFS with version NT 3.5.1, facilitating compatibility with Apple Macintosh computers, which used two streams per file.

For a long time, multiple streams were not visible to standard utilities like 'dir' or File Explorer, which made ADS an attractive target for malicious actors. However, some legitimate tools and browsers use ADS for storing metadata, such as the "Zone.identifier" stream, which details the security zone from where the file originated.

Creating and Using ADS

To create an ADS, use the following commands in the command line:

notepad test.txt
notepad test.txt:secret1
notepad test.txt:secret2

The above commands create a regular file and two additional streams that cannot be seen in File Explorer but are accessible through the command line.

Copying Files and ADS

Be aware that copying files to non-NTFS file systems will strip ADS.

Executing Code via ADS

To run a file incorporated within ADS, use a full path:

start c:\Users\danie\message.txt:secret.exe

Discovering and Managing ADS

You can detect ADS using the command: dir /R. PowerShell offers more advanced handling with commands:

  • Get Item 
    get-content -path {path to the file} -stream {name of the stream}
  • Set Item 
    set-content -path {path to the file} -stream {name of the stream}
  • Search for ADS 
    gci -recurse | % { gi $_.FullName -stream * } | where stream -ne ':$Data'
  • Remove ADS 
    remove-item –path {path to the file} –stream {name of the stream}

Running Executable through ADS

Examples of executing code from ADS:

  • Copy a file

type "C:\test.ext" > "c:\test.txt:test.exe"

```dos
wmic process call create "c:\test.txt:test.exe"
  • Run a DLL

rundll32 "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:ADSDLL.dll",DllMain


- **Running Scripts**
```bash
wscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:wscripts.vbs"

Conclusion

Alternate Data Streams offer both innovative and potentially risky uses. While they can be employed for benign purposes such as metadata storage, they can also be exploited by attackers.

References

Tags:

windowsntfsdata streamssecurity