File System Vulnerabilities
What is ADS?
Alternate Data Streams (ADS) is a feature of the NTFS (New Technology File System), originally designed for compatibility with MacOS HFS (Hierarchical File System).
How ADS Works
When a file is created on an NTFS-formatted drive, it consists of two separate data streams:
Data Stream – The primary stream that stores the actual content of the file.
Resource Stream – A secondary stream that typically holds metadata about the file.
How Attackers Use ADS for Evasion
Malicious code or executables can be hidden inside the resource stream of legitimate files.
Since most antivirus (AV) and static scanning tools focus only on the primary data stream, malware stored in ADS can evade detection.
This technique is commonly used to bypass signature-based security solutions.
type payload.exe > windowslog.txt:winpeas.exe
start windowslog.txt:winpease.exe
mklink wupdate.exe C:\Temp\windowslog.txt:winpease.exeI used Alternate Data Streams (ADS) to hide and execute a malicious file in a way that avoids detection. Here's what I did:
Hid the Payload Inside an ADS Stream
type payload.exe > windowslog.txt:winpeas.exeI embedded
payload.exeinside the resource stream ofwindowslog.txt. This means the file remains hidden and won't show up in normal directory listings.
Executed the Hidden File
start windowslog.txt:winpeas.exeI ran the hidden file (
winpeas.exe) from insidewindowslog.txt, proving that it can still be executed even though it remains invisible in standard file explorers.
Created a Hard Link for Evasion
mklink wupdate.exe C:\Temp\windowslog.txt:winpeas.exeI created a symbolic link (
wupdate.exe) that points to the hiddenwinpeas.exe. This allows me to execute the hidden file by simply runningwupdate.exe, further hiding its presence.
By doing this, I successfully hid and executed a file using ADS, which is a common technique to evade basic security scans and traditional antivirus detection.
Last updated