The Alternate Data Streams (ADS) is an NTFS file attribute, which allows malicious actors to embed secret files and programmes in legitimate files, which can then be used to bypass detection on a target system.
To create a new file within the resource stream of a legitimate file, use the command notepad [legit file] ’:[’ secret file’].’
To embed a malicious executable within a legitimate text file, use the command ‘type [executable] > [legit file] ’:[’ malicious executable’].
A symbolic link can be created by using the command ‘mklink [designation] [path]:[executable]’, meaning that a malicious file will be executed every time the designated file is invoked.
This method of evasion is simple, but it can help malicious actors to avoid detection by human beings and basic signature-based detection systems.