Alternate Data Streams (ADS)

  • Description: As detailed in the Windows Fundamentals section, NTFS Alternate Data Streams allow embedding hidden data "behind" a standard file or directory without affecting the primary file's size or apparent content in tools like File Explorer.

  • Mechanism: A cheater can store an entire executable (like cheat.exe) or other malicious content within an ADS attached to an innocuous host file (e.g., notes.txt).

    • Creation Example: Using command prompt: type C:\path\to\cheat.exe >> C:\path\to\benign_file.txt:hidden_stream_name.exe (The type >> command pipes the binary content of the cheat into the ADS of the benign file).

    • Execution Example: Often requires specific commands like wmic process call create "C:\path\to\benign_file.txt:hidden_stream_name.exe" or using utilities like forfiles. Double-clicking the host file (benign_file.txt) will not run the ADS content.

  • Why Cheaters Use It: This is a powerful concealment technique. It hides the malicious payload from standard file browsing and simple scans that only look for standalone files. The host file appears completely normal in size and content.

  • Detection:

    • ADS Viewers: Tools like AlternateStreamView (Nirsoft) or Sysinternals' Streams are essential. Scan relevant directories (Downloads, Desktop, Temp, game folders) or entire drives to list all files containing ADS. Examine streams with suspicious names or significant sizes.

    • Command Line: dir /r lists streams in the current directory. PowerShell's Get-Item -Stream * can inspect specific files.

    • USN Journal: Creating, modifying, or deleting ADS typically generates STREAM_CHANGE or NAMED_DATA_OVERWRITE/EXTEND/TRUNCATION events in the Journal, associated with the host file. Finding these events linked to otherwise normal files can be suspicious.

    • Memory Analysis: If the ADS content was executed, traces might be found in process memory (e.g., searching for strings from the hidden cheat within csrss.exe or the process launched via wmic).

    • Specialized Tools: Forensic suites or tools like Velociraptor often have specific modules (e.g., Windows.NTFS.ADSHunter) designed to find and analyze ADS across a system.

PreviousUnicode Characters in File Names/PathsNextCode Obfuscation

Last updated