A stream consists of data associated with a main file directory (known as the main unnamed stream). Each file and directory in NTFS can have multiple data streams that are generally hidden from the user.
https://docs.microsoft.com/en-us/sysinternals/downloads/streams
NTFS supersedes the FAT file system as the preferred file system for Microsoft Windows operating systems. NTFS has several improvements over FAT and HPFS (High Performance File System), such as improved support for metadata and the use of advanced data structures.
- How to hide files usign NTFS streams.
- Windows 7, 8, 10 or Windows Server 2012, 2016.
Make sure the C:\drive file system is NTFS format. To check this, go to Computer and right click C:\ and click Properties.
-
Open Windows Explorer and create a new folder called trick inside the C: drive.
-
Go to C:\windows\system32 and copy the calc.exe to the trick folder.
-
Launch the command prompt as Administrator, and navigate to C:\trick.
cd C:\trick -
Create a readme.txt file, type Hello World inside of it and save the file.
notepad readme.txt -
Back to command prompt and type dir to list the files on the current folder. Note the file size of readme.txt.
-
Now hide calc.exe inside the readme.txt by typing:
type c:\trick\calc.exe > c:\trick\readme.txt:calc.exe
-
Type dir again and note the file size of readme.txt did not change.
-
Back to the c:\trick and delete the calc.exe.
Execute the Hidden Application
-
Create a symlink:
mklink backdoor.exe readme.txt:calc.exe -
Execute the backdoor.exe by typing:
backdoor.exe
Attackers may hide malicious files from being visible to the legitimate users by using NTFS streams and execute them whenever required.