# Alternate Data Streams

## Execution

Creating a benign text file:

{% code title="attacker\@victim" %}

```csharp
echo "this is benign" > benign.txt
Get-ChildItem
```

{% endcode %}

![](/files/-LJzMoqdhLcsCZg5RYja)

![](/files/-LJzLKIXTh8RFLyGkbkU)

Hiding an `evil.txt` file inside the `benign.txt`

{% code title="attacker\@victim" %}

```csharp
cmd '/c echo "this is evil" > benign.txt:evil.txt'
```

{% endcode %}

![](/files/-LJzMr4IhUYWff8drVRU)

![](/files/-LJzLLrFzRYmkoeztu8N)

Note how the evil.txt file is not visible through the explorer - that is because it is in the alternate data stream now. Opening the benign.txt shows no signs of evil.txt. However, the data from evil.txt can still be accessed as shown below in the commandline - `type benign.txt:evil.txt`:

![](/files/-LJzMwYrgjXaANJnds12)

Additionally, we can view the data in the notepad as well by issuing:

{% code title="attacker\@victim" %}

```csharp
notepad .\benign.txt:evil.txt
```

{% endcode %}

![](/files/-LJzMythJAAqKdLKSwB4)

## Observations

![](/files/-LJzNwb0DZdbCU39L2t9)

Note that powershell can also help finding alternate data streams:

```csharp
Get-Item c:\experiment\evil.txt -Stream *
Get-Content .\benign.txt -Stream evil.txt
```

![](/files/-LJzPdRam1MNcCP92G0J)

## References

{% embed url="<https://attack.mitre.org/wiki/Technique/T1096>" %}

{% embed url="<https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/providers/filesystem-provider/get-item-for-filesystem?view=powershell-6>" %}

{% embed url="<https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.ired.team/offensive-security/defense-evasion/t1096-alternate-data-streams.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.