Alternate Data Streams - ADS

NTFS file streams, also known as alternate data streams (ADS), are part of every file, as well as directories (folders), in a Windows NTFS volume. NTFS files and folders are comprised of attributes one of which is $Data. The content we normally associate with a file such as the text in a .txt file or the executable code in a .exe file is stored in the ‘default’ $Data attribute or ‘stream’. The name string of this default attribute is empty (set to “”) thus it is often referred to as the “unnamed data stream”. Any additional $Data steams must be named and are typically referred to as “alternate data streams”.

The History of NTFS File Streams

Older Windows file systems such as FAT16 and FAT32 have no support for multiple streams. Multiple stream support was added to NTFS as part of NT 3.5.1. This was done in large part to enable the ability of a Windows server to be a file server for Apple Macintosh computers. Macintosh files make use of two streams per file – one for data and one for resource information. By enabling NTFS to support multiple streams a Macintosh user could copy files to a Windows server and then back to a Macintosh without losing the ‘resource’ stream.

Initially, NTFS streams support was limited to the Win32 API’s used to access files. For years only a couple utilities had any ‘awareness’ of multiple streams. These were “echo” and “more”.

This made leveraging ADS by bad actors very tempting as it was hard for end users and even security professionals to detect the use of ADS given that the common ‘dir’ command and File Explorer were blind to ADS usage.

That situation has improved over time but the use of ADS is still often overlooked.

Not all ADS content is ‘bad’ these days. Some archive and backup software make use of ADS to store file revision information. A more common usage in the past few years is IE and other browsers that now add a stream named “Zone.identifier” to files downloaded from the internet or other security zones. The Zone.identifier stream will include data like “[ZoneTransfer]\nZoneId=x” where x is 0-4:

0. My Computer
1. Local Intranet Zone
2. Trusted sites Zone
3. Internet Zone
4. Restricted Sites Zone

How to create it?

open cmd and type the following

notepad test.txt
notepad test.txt:secret1
notepad test.txt:secret2

Write something after opening notepad each time and save it.
Access it again to see, it works! Again this is a feature on NTFS file system, won’t work elsewhere.

If we copy the file to a non-NTFS file system the ADS will be lost

The first one creates a regular file, whereas the second and third line create two separte stream in the same file. These won’t be visible from explorer but can be accessed from the commandline and with the help of external tools.

In order to create a new ADS, you have to add colon after the name of the file

> notepad file1.txt:secret.txt
> notepad file1.txt:photo.jpg

Each Tag, as it is a string, allows us to store everything from binaries, to images, to text to any kind of content we’d want. And have the content dissapear from disk. We can copy (but not run) exe binaries, images, pdfs and all other kinds of things.

You can’t start a program by giving it the relative route:

C:\Users\danie>message.txt:secret.exe
The filename, directory name, or volume label syntax is incorrect.

C:\Users\danie>c:\Users\danie\message.txt:secret.exe
The filename, directory name, or volume label syntax is incorrect.:

C:\Users\danie>start message.txt:secret.exe
Access is denied.

You have to give it the full route:

C:\Users\danie>start c:\Users\danie\message.txt:secret.exe
Oh no, you've been hacked!

Wait what?

I know, right? It’s one of those things you would think is in the public spotlight, but they still remain as a relic from the past.

Some other blogs have wrote about this, but the lexicon is so complex, that you might as well glance over it.

Well my friend, here are the good news, you no longer need any fancy tools to detect ADS, now you can simply go to the cmd and write

dir \R

You’ll get all the list of the files, with their respective ADS.

Using powershell

Get Item

get-content - path {path to the file} - stream {name of the stream}

Set Item

set-content - path {path to the file} - stream {name of the stream}

Search for ADS

gci -recurse | % { gi $_.FullName -stream * } | where stream -ne ':$Data'

Remove ADS

remove-item –path {path to the file} –stream {name of the stream}

Malwarebytes Anti-Malware scans for and removes unwanted ADS (as Rootkit.ADS)

Executing code

copy a file

type "C:\test.ext" > "c:\test.txt:test.exe"

wmic process call create "c:\test.txt:test.exe"

To run a dll

type "C:\temp\messagebox64.dll" > "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:ADSDLL.dll"

rundll32 "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:ADSDLL.dll",DllMain

to run a vbscript

type "C:\Program Files\test\wscripthello.vbs" > "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:wscripts.vbs"

wscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:wscripts.vbs"

to run cscript

cscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:wscripts.vbs"

Sources

• https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/
• https://stealthbits.com/blog/ntfs-file-streams/
• https://danielsada.tech/blog/ads-the-obscure-side-of-ntfs/