# Alternate Data Streams

{% embed url="<https://blog.foldersecurityviewer.com/ntfs-alternate-data-streams-the-good-and-the-bad/>" %}
ADS Good and Bad
{% endembed %}

{% embed url="<https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/>" %}
Malicious Use of ADS
{% endembed %}

### What is ADS?

Alternate Data Streams (ADS) have been around since the introduction of windows NTFS. They were designed to provide compatibility with the old Hierarchical File System (HFS) from Mac which uses something called resource forks.

Basically, ADS can be used to hide the presence of a secret or malicious file inside the file record of an innocent file. That is, when windows shows you a file, say "readme.txt", the metadata that tells your system where to get "readme.txt" may also contain information for "EvilSpyware.exe". Thus, malicious files may be on your system and you cannot see them using normal means.

### Good of ADS

* Windows Resource Manager leverages ADS to identify high risk files that shouldn’t be accessed.
* The Windows operating system uses ADS to encrypt and store files in a secure manner.
* The Windows Attachment Manager uses ADS as a file scanner. This explains why sometimes you receive warnings when you open a file downloaded from the Internet.
* The SQL Database server uses ADS to maintain database integrity.
* Citrix’s virtual memory uses ADS to boost DLL loading speed.
* Anti-virus applications, such as Kaspersky, uses ADS to enhance the scanning of files.

### Show ADS Streams

Check to see what streams the files has. We are able to find hidden files with this. If this was unzipped, we can see where it came from. If it has Zone Identifiers, we can find the URL.

```powershell
Get-Item -path 'FILEPATH' -stream *
```

### Show Zone Identifier

Type 3 Zone Identifiers show the URL the file was downloaded from.

```powershell
Get-Content -path 'FILEPATH' -stream Zone.identifier
```

{% embed url="<https://be4sec.com/2021/07/29/zone-identifier-commands/>" %}
Types of Zone Identifiers
{% endembed %}

| Browser               | Version  | Captures URL in ADS |
| --------------------- | -------- | ------------------- |
| **Internet Explorer** | 11       | No                  |
| **Edge**              | 42.17134 | Yes                 |
| **Chrome**            | 68       | Yes                 |
| **Firefox**           | 61       | No                  |
| **Tor**               | 7.5.6    | No                  |

### URL Not Showing Up

If the HostURL is displaying as **about:internet**, it was most likely downloaded through HTML Smuggling.

**HTML Smuggling**:

```
ZoneId=3
HostUrl=about:internet
```

**Traditional Download**:

{% code lineNumbers="true" %}

```
[ZoneTransfer]
ZoneId=3
ReferrerUrl=https://www.sans.org/security-resources/posters/windows-forensic-analysis/170/download
HostUrl=https://www.sans.org/security-resources/posters/windows-forensic-analysis/170/download
```

{% endcode %}

{% embed url="<https://www.senturean.com/posts/21_04_11_ways_of_phishing_02/#4-unique-zoneidentifier-values>" %}
HTML Smuggling
{% endembed %}

### Read Contents of Stream

```powershell
Get-Content -path 'FILEPATH' -stream HIDDENFILE
```