CybersLion

NTFS Alternate Data Streams (ADS) — उपकरण, उपयोग और प्रैक्टिकल अभ्यास

 

NTFS Alternate Data Streams (ADS) — उपकरण, उपयोग और प्रैक्टिकल अभ्यास

1. संक्षेप में: ADS क्या हैं?

NTFS में हर फाइल के साथ एक मुख्य डेटा स्ट्रीम होती है; Alternate Data Streams (ADS) एक अतिरिक्त “छिपी” स्ट्रीम जोड़ने का तरीका है (उदा. file.txt:secret)। यह फाइल का आकार नहीं बदलता और सामान्य देखने पर दिखाई नहीं देता। 

2. ADS क्यों खतरनाक हैं?

हमलावर ADS में मलिशियस स्क्रिप्ट, एक्ज़ीक्यूटेबल या संवेदनशील डेटा छिपा कर एंटीवायरस और साधारण स्कैन से बच सकते हैं। इसलिए ADS की पहचान और निगरानी जरूरी है। 


3. मुख्य उपकरण (और कब इस्तेमाल करें)

  • Sysinternals Streams.exe — तेज़ CLI स्कैनर; सूची बनाना और डिलीट करने के काम आता है। 

  • PowerShell (Get-Item -Stream) — बिल्ट-इन और स्क्रिप्टेबल; फॉरेंसिक व हंटिंग में उपयोगी। 

  • NirSoft AlternateStreamView — GUI-आधारित स्कैन और एक्सपोर्ट; रिपोर्ट बनाने में सुविधाजनक। 

  • Forensic Suites (EnCase/FTK/TSK) — डीप फाइल सिस्टम विश्लेषण और कोर्ट-एडमिसिबल साक्ष्य। 


4. व्यावहारिक आदेश (उदाहरण)

  • Streams recursive रिपोर्ट:

streams -s C:\Users\Public > C:\temp\streams_report.txt
  • PowerShell से स्ट्रीम पढ़ना:

Get-Item C:\temp\example.txt -Stream * Get-Content -Path C:\temp\example.txt -Stream secret
  • NirSoft: GUI में ड्राइव चुनें → सभी स्ट्रीम दिखेंगे → CSV/HTML में सेव करें। 


5. प्रैक्टिकल लैब (सुरक्षित अभ्यास)

  1. आइसोलेटेड VM बनाएं और स्नैपशॉट लें।

  2. readme.txt बनाएं और उसमें evil नामक स्ट्रीम जोड़ें (PowerShell)।

  3. streams -s चला कर पुष्टि करें और फिर Get-Content -Stream से एक्सट्रैक्ट करें। कभी भी होस्ट पर मालवेयर न चलाएँ। 


6. निष्कर्ष और सर्वोत्तम अभ्यास

ADS छिपने के लिए एक प्रभावी तकनीक हैं—इसलिए नियमित स्कैन, SIEM/EDR के साथ इंटीग्रेशन, और फॉरेंसिक-लेवल संग्रह ज़रूरी है। Sysmon के साथ ADS-विशेष नियम बनाएं और महत्वपूर्ण सर्वरों पर आवधिक streams/PowerShell स्कैन शेड्यूल करें।

NTFS ADS Detection Tools — How to Find, Analyze & Remove Hidden Streams

 

NTFS Alternate Data Streams (ADS) — Detection Tools, Step-by-Step Usage & Practical Lab

Meta Description: Learn how NTFS Alternate Data Streams work, why they’re abused by attackers, and how to detect and remediate them using Sysinternals Streams, PowerShell, NirSoft AlternateStreamView, forensic suites and SIEM/Sysmon detections — with hands-on commands and a practice lab.


English — What, Why & How (Practical, Tool-Focused)

1. Quick overview: What are NTFS Alternate Data Streams (ADS)?

NTFS supports multiple data streams per file. The default stream holds the visible file contents; alternate data streams (ADS) let another “hidden” stream be attached to a file (e.g., file.txt:secret) without changing the file’s visible size or normal hash. This capability was introduced for compatibility/backwards-features in NTFS but is frequently abused to hide data or malicious payloads. 


2. Why ADS detection matters (threat context)

Threat actors hide scripts, executables, stolen data, or indicators inside ADS to evade antivirus, file hashing, and casual inspection. Modern blue teams therefore hunt for executions from ADS, Zone.Identifier usage, and unexpected streams on high-value files or user downloads. Detection is essential because ADS can persist through normal file checks and even survive casual backups if not accounted for. 


3. Core detection tools (what to use and when)

Below are the practical, field-proven tools and their core strengths:

  • Sysinternals Streams.exe — fast CLI scanner to list and optionally delete ADS; very handy for scripted inventory and remediation. Use this for broad scans and automated cleanup.

  • PowerShell (Get-Item -Stream, Get-ChildItem -Stream *) — built-in, flexible, scriptable way to enumerate and read streams from files and directories; ideal for forensic workflows and SIEM integration. 

  • NirSoft AlternateStreamView — GUI tool for Windows to scan, extract or delete streams; good for analysts that prefer visual review and exportable reports (CSV/HTML). 

  • Forensic suites (EnCase / FTK / The Sleuth Kit / Autopsy / XRY) — full NTFS forensic analysis including ADS extraction, timeline correlation, and evidence preservation for incident response. Use when you need court-admissible artifacts or deep file system analysis. 

  • SIEM & Endpoint telemetry (Sysmon + Splunk/Elastic) — detect runtime indicators such as “process executed a file from an ADS” or sudden reads of :Zone.Identifier streams; integrate detection rules into EDR/SIEM. 


4. Hands-on usage — commands and examples

A. Using Streams.exe (Sysinternals)

  1. Download Streams and place it in C:\Tools.

  2. Scan a directory (recursive):

streams -s C:\Users\Public > C:\temp\streams_report.txt
  • -s recurses subdirectories.

  • To delete all streams found under a path (use with caution, test first):

streams -s -d C:\path\to\scan

When to use: quick inventory, scheduled scans, automated cleanup scripts. 

B. PowerShell — enumerate and read streams

  • List streams for a file

Get-Item C:\temp\example.txt -Stream *
  • Recursive scan for all streams in a folder

Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | ForEach-Object { Get-Item $_.FullName -Stream * } | Where-Object { $_.Stream -ne '::$DATA' }
  • Read a named stream

Get-Content -Path C:\temp\example.txt -Stream secret

When to use: custom hunting, automation, ingestion of results into SIEM/CSV. 

C. NirSoft AlternateStreamView (GUI)

  • Launch the tool, point it at a drive, and it lists file, stream name, size, and offset. You can export to CSV, save stream contents, or delete selected streams. Good for analysts who need quick visual triage. 

D. SIEM / Sysmon rule example (behavioral)

  • Create a detection that triggers on process creation where ImageLoaded or CommandLine references an ADS (e.g., C:\file.txt:evil.exe). Splunk/Elastic queries can look for Sysmon Event ID 1 where Image contains : pattern or CommandLine references -Stream. Microsoft/Threat intel blogs show this approach reduces stealthy ADS execution. 


5. Practical detection playbook (triage + hunting)

  1. Baseline sweep: run streams -s and a PowerShell Get-ChildItem -Stream scan on endpoints to build a baseline of normal ADS usage (e.g., Zone.Identifier on downloads). 

  2. Hunt for anomalies: look for large or executable streams attached to seemingly small files, or streams with uncommon names. Correlate with process execution logs (Sysmon) and network indicators. 

  3. Contain & extract: if malicious ADS found, extract the stream to a quarantined lab VM for static/dynamic analysis (NirSoft or PowerShell Get-Content → save). Preserve file system timestamps and metadata for forensics.

  4. Remediate: remove the ADS (streams -d or Remove-Item -Path file -Stream name) after evidence collection and patch the initial vector (user education, blocked attachments, patch vulnerable software). 


6. Lab exercise (safe practice environment)

Goal: detect, extract and analyze an ADS-hidden executable.

Setup

  • Create isolated lab (VirtualBox/VMware) offline. Snapshot the VM.

  • Tools: Sysinternals Streams, PowerShell, NirSoft AlternateStreamView, an EDR agent if available, and a sandboxed analysis VM.

Steps

  1. Create a benign file: echo "hello" > C:\lab\readme.txt

  2. Add hidden stream: (on lab VM)

Set-Content -Path C:\lab\readme.txt -Stream evil -Value (Get-Content C:\lab\payload.exe -Encoding Byte)
  1. Run streams -s C:\lab and confirm readme.txt:evil is listed. 

  2. Extract stream with PowerShell:

Get-Content -Path C:\lab\readme.txt -Stream evil -Encoding Byte -ReadCount 0 | Set-Content -Path C:\lab\extracted_payload.exe -Encoding Byte
  1. Analyze extracted_payload.exe inside sandbox (do NOT run on host). Document timestamps and evidence.

Learning outcomes: how ADS are created, how to find them with multiple tools, and safe extraction for analysis.


7. Detection limitations & best practices

  • Limitations: Some older telemetry (basic Windows Event Logs) do not record ADS creation/removal. Sysmon and EDR sensors vary in coverage; rely on multiple data sources. 

  • Best practices: enable Sysmon with rules for ADS execution, schedule periodic streams/PowerShell scans on critical hosts, integrate results into your SIEM, and use forensic suites for post-compromise evidence preservation. 


8. References & further reading

Key references used to compile this practical guide: Microsoft/Sysinternals Streams documentation, NirSoft AlternateStreamView, MITRE ATT&CK technique T1564.004 (Hide Artifacts: Alternate Data Streams), Splunk/Sysmon detection guidance, and forensic toolkit documentation.