When a file is stored on a drive with NTFS file system, you can attach data streams to it to store hidden information.
Here is a sample that hides PowerShell code in an NTFS stream of a script. When you run this code, it creates a new PowerShell script file on your desktop, and opens the file in the ISE editor:
$path = "$home\Desktop\secret.ps1" $secretCode = { Write-Host -ForegroundColor Red 'This is a miracle!' [System.Console]::Beep(4000,1000) } Set-Content -Path $path -Value '(Invoke-Expression ''[ScriptBlock]::Create((Get-Content ($MyInvocation.MyCommand.Definition) -Stream SecretStream))'').Invoke()' Set-Content -Path $path -Stream SecretStream -Value $secretCode ise $path The new file will expose code like this: (Invoke-Expression '[ScriptBlock]::Create((Get-Content ($MyInvocation.MyCommand.Definition) -Stream SecretStream))').Invoke()
When you run the script file, it will output a red text and beeps for a second. So the newly created script actually executes the code embedded into the secret NTFS stream "SecretStream".
To attach hidden information to (any) file stored on an NTFS volume, use Add-Content or Set-Content with the -Stream parameter.
To read hidden information from a stream, use Get-Content and again specify the -Stream parameter with the name of the stream used to store the data.
