This content originally appeared on DEV Community and was authored by Saravana Gautham
One-line summary: NTFS Alternate Data Streams (ADS) let a file carry named hidden streams of data (e.g. file.txt:secret). They’re useful for metadata but can be abused for stealthy storage — here’s a safe, beginner lab showing how to hide an image or a benign PowerShell script in an ADS and how to run it in a controlled environment.
⚠️ Lab safety & ethics: Run these steps only in an isolated Windows VM with an NTFS disk. Snapshot the VM first. Do not try on production systems or devices you don’t own/authorize.
What is an ADS? (short & simple)
An Alternate Data Stream (ADS) is an extra named data stream attached to an NTFS file. The normal content you see is the default stream. An ADS is like a hidden compartment inside a briefcase — the briefcase is the visible file, and the ADS is the hidden pocket.The beauty is you can create any number of secret compartments(ADS) for a single file.
Key facts :
- ADS is an NTFS feature (not FAT/exFAT) and may be lost if the file is moved to a non-NTFS filesystem.
- A file can hold multiple named streams:
filename:stream1,filename:stream2, etc. - Explorer shows only the default stream size; ADS bytes are stored in NTFS metadata (MFT) and require special tools to see.
- There is no simple NTFS switch to disable ADS — defenders must scan and monitor for them.
Why it matters
- Legitimate uses: metadata, compatibility with legacy resource forks, application-specific needs.
- Abuse potential: attackers can hide scripts, small binaries, images, or exfiltrated data inside ADS to evade cursory checks. Modern AV/EDR can and does detect many ADS-related behaviours, but ADS remains a stealthy lever in many scenarios.
Important ADS commands (cmd method)
Commands
echo Diwali wishes > C:\Lab\Diwali.txt # To create visible host file, in this case a TXT file named Diwali.
copy /b "C:\Lab\images\diya.jpg" "C:\Lab\Diwali.txt:Diya" # Command to copy a image file to the ADS of Diwali.txt
dir /R C:\Lab # Command to list all ADS files in a directory.
copy /b "C:\Lab\Diwali.txt:Diya" "C:\Temp\Diya_extracted.jpg" # Command to extract the image file from ADS and paste it in a folder
start "C:\Temp\Diya_extracted.jpg" # Command to open the file
What you’ll see
-
dir /Rorstreams -s C:\Labwill showDiwali.txt:Diya. - After extract, the default image viewer opens the
Diya_extracted.jpg.
I am attaching screenshots with similar commands executed in my VM.
PowerShell payload in ADS (PoC)
Quick lab PoC overview
Step 1. A harmless looking Image-File is downloaded into the victim machine.
This is the payload/exploit for this particular setup. This seemingly harmless text file has ADS with powershell scripts in it. Since this is a lab setup the powershell script is kept to bare minimum. It scans for images stored in the system. It copies all such files to a location within the system. It compresses and makes them into a single file. It finally uploads the file to a remote server. Ideally I would have put 2 more lines to break the compressed file into smaller chunks. Since this is a lab setup and I had very few photos in my VM, I took the liberty of not doing it.
Step 2. The AD script is shown in the below screenshot. It is obfuscated to hide few details. But the important fact is such scripts can be written with very little effort.
Powershell script is partly shown :
Step 3. The script is executed. I have also attached a screenshot to show that a .rar file has been created because of the powershell script. This entire exercise emulates a classic data exfiltration scenario.
Executing the script:
Final result in victim machine:
Cleanup (remove ADS and artifacts)
# remove ADS from host file
Remove-Item -Path 'C:\Users\Testuser1\Downloads\Diwali_wishes.jpg' -Stream Cracker -ErrorAction SilentlyContinue
Detection & Blue-Team hints (short)
-
Quick tools: Sysinternals
streams.exe(streams -s <path>) and PowerShellGet-Item -Stream *. - Automated scan: run a scheduled PowerShell script that enumerates files with more than one stream and reports them (I’ll publish one in the Blue-Team post - my subsequent post).
-
Logging & monitoring: watch for suspicious
PowerShellprocess invocations that read unusual file streams or forCreateProcessevents where command lines reference temp extracts. Use Procmon/Sysmon to capture and tune alerts. - Forensics: MFT and USN journal entries can help timeline ADS creation/deletion.
Conclusion & what’s next
ADS is a small NTFS feature with outsized impact: it’s legitimately useful but can be abused for stealth. In this post we created ADS entries for both an image and a benign PowerShell payload, demonstrated in-memory execution, and showed verification and cleanup steps.
Next post (coming soon): a detailed Blue-Team guide showing a reusable PowerShell ADS scanner, Sysmon rules to detect suspicious ADS usage, a Procmon walkthrough, and a short response playbook for triage & remediation. Stay tuned!
References & further reading
- Microsoft docs on file streams and NTFS (search for NTFS alternate data streams).
- Sysinternals
Streams.exe— small tool for listing/deleting streams.
This content originally appeared on DEV Community and was authored by Saravana Gautham
Saravana Gautham | Sciencx (2025-09-30T16:35:59+00:00) ADS — Alternate Data Streams (Beginner friendly PoC). Retrieved from https://www.scien.cx/2025/09/30/ads-alternate-data-streams-beginner-friendly-poc/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.