To understand ADS, analysts must look at how the New Technology File System (NTFS) manages data. Every file on an NTFS volume consists of a set of attributes stored within a Master File Table (MFT) record.
The actual content of a file is stored in the $DATA attribute. A standard file has a single, unnamed $DATA attribute. However, NTFS allows a single file to have multiple, named $DATA attributes. These are the Alternate Data Streams.
An ADS is accessed by appending a colon (:) to the primary file’s name:
FileName.extension:StreamName.extension:$DATA
For example, if an attacker hides a payload named malware.exe inside a benign text file named readme.txt, the resulting stream is addressed as:
readme.txt:malware.exe
Crucially, adding a 50MB executable to the ADS of a 1KB text file will not change the reported file size of the text file in Windows Explorer or standard dir commands, making the payload completely invisible to the casual observer.
Before hunting for malware, DFIR analysts must understand the most critical legitimate use of ADS: the Mark of the Web (MoTW).
When a user downloads a file from the internet via a web browser or email client, Windows automatically creates an ADS named Zone.Identifier. This stream contains metadata indicating the file’s origin zone (e.g., Internet, Intranet).
Forensic Value of MoTW
During a Suspicious Email Analysis or phishing investigation, reading the Zone.Identifier stream of a downloaded payload reveals the exact URL from which the file was downloaded (the HostUrl field). This provides immediate, high-fidelity IOCs for threat hunting.
Threat actors leverage ADS across multiple phases of the kill chain: staging payloads, establishing persistence, and evading detection.
Adversaries often use built-in Windows commands to pipe malicious binaries or scripts into the ADS of legitimate system files or mundane documents.
# Staging a malicious executable inside a standard text filetype evil.exe > C:\Users\Public\readme.txt:hidden.exeWriting to an ADS is trivial; executing from it requires specific “Living off the Land” (LOLBAS) techniques. Since modern Windows versions restrict executing an .exe directly from an ADS via the command line, attackers use indirect execution methods.
wmic process call create "C:\Users\Public\readme.txt:hidden.exe"rundll32.exe utility.
rundll32.exe C:\Users\Public\readme.txt:hidden.dll,EntryPointGet-Content or wscript.Because ADS payloads are invisible to standard dir or Windows Explorer checks, analysts must use specific utilities during live response or offline MFT parsing.
/R flag instructs the dir command to display alternate data streams.
dir /R C:\Users\Public\Get-Item -Path C:\Users\Public\readme.txt -Stream *
Get-Content -Path C:\Users\Public\readme.txt -Stream hidden.exeWhen analyzing a forensic image, analysts parse the $MFT file. Tools like Eric Zimmerman’s MFTECmd will explicitly list files containing named $DATA attributes, allowing analysts to extract the hidden payload directly from the raw disk image regardless of OS restrictions.
Detecting ADS abuse requires granular endpoint telemetry. Native Windows event logs are insufficient; organizations must rely on Sysmon or EDR solutions.
Sysmon Event 15 is specifically designed to log the creation of named file streams. It records the target file, the stream name, and crucially, the cryptographic hash of the stream’s contents, enabling immediate IOC correlation.
// Detect the creation of executable streams attached to filesDeviceEvents| where ActionType == "SysmonFileCreateStreamHash"// Filter out legitimate Zone.Identifier creation| where TargetFileName !endswith ":Zone.Identifier"| where TargetFileName !endswith ":SmartScreen"// Look for streams with executable extensions| where TargetFileName contains ".exe" or TargetFileName contains ".dll" or TargetFileName contains ".vbs" or TargetFileName contains ".ps1"| project TimeGenerated, DeviceName, InitiatingProcessFileName, TargetFileName, SHA256| sort by TimeGenerated desctitle: Suspicious Execution from Alternate Data Stream via WMICid: 3c4d5e6f-7a8b-9c0d-1e2f-3a4b5c6d7e8fstatus: experimentaldescription: Detects the use of wmic.exe to execute a payload hidden within an Alternate Data Stream (ADS).logsource: category: process_creation product: windowsdetection: selection: Image|endswith: '\wmic.exe' CommandLine|contains|all: - 'process call create' - ':' filter_legit: CommandLine|contains: ':\\' # Filters out standard drive letters like C:\ condition: selection and not filter_legitlevel: hightags: - attack.defense_evasion - attack.t1564.004Disabling Alternate Data Streams is not possible, as it is a fundamental architectural component of the NTFS file system required by legitimate Windows services. Mitigation relies entirely on strict Execution Prevention (blocking execution from unauthorized paths using WDAC/AppLocker) and robust Behavioral Monitoring (EDR/Sysmon) to detect the creation and execution of anomalous streams.