I previously wrote about alternate data streams. Consider this an addendum to that post.

Alternate file streams are a Windows file system feature that allows additional sets of data to be attached to a file. Each data stream can be independently edited. But they are all part of the same file. Since the Windows UI doesn’t show information on these files, it raises a few perceivable security concerns. Whether it is the intention or not, information within an alternate file stream is concealed from all accept those that know to look for it. This isn’t limited to humans looking at the file system, but also other security products that may scan a file system.

It is possible to put executable content within an alternate file stream. Such executable content can’t be invoked directly from the UI, but it can be invoked through tools such as WMI. Given these security concerns that alternate streams may raise, why do I still use them? Those concerns are only applicable to how other untrusted entities may use the feature. But any action of an untrusted entity may be one of concerns.

I thought this concern was worth mentioning because if you try searching for more information on alternate file streams, these concerns are likely to come up on the first page of results.