Was exploring Alternative Data Streams (ADS) when it occurred to me that hashing might be a good way to detect if an ADS has been created.
Lets explore:
# Create a file $path = 'C:\temp\test_ADS.txt' $null = New-Item -Path $path -ItemType File -Force # Add some content Add-Content -Path $path -Value "No hidden text" # verify content Get-Content -Path $path # Check hash $hash1 = (Get-FileHash -Path $path -Algorithm MD5).Hash # Create the ADS Add-Content -Stream HIDDEN -Path $path -Value "Hidden Stuff" # Check ADS Get-Content -Path $path -Stream HIDDEN # Check hash $hash2 = (Get-FileHash -Path $path -Algorithm MD5).Hash "{0} - No ADS" -f $hash1 "{0} - With ADS" -f $hash2
As you can see the hash does not change. Detecting ADS is still possible if you are using sysmon.
Hope this helps!