🔬Alternate Data Stream
Lab 1 (Extra)
🔬 Home Lab
I will use a Windows 10 Virtual Machine for this demonstration
Open a Command Prompt (
cmd
)
notepad text.txt
Check the Resource Stream (metadata) of the file

notepad test.txt:secret.txt
# secret.txt contains the Resource Stream
notepad test.txt
# normal Data Stream


e.g.
- Download latest winPEASx64_ofs.exe (Antivirus may block the file), rename it to payload.exe
and move it to C:\Temp
directory
Using the
type
command, redirect the output into a new legitimate text file, passing in the actual executable into the text file resource stream.
type payload.exe > windows_log.txt:winpeas.exe
del payload.exe
windows_log.txt
file can be filled with legitimate logs data to make it as realistic as possibleStart the hidden executable
start windows_log.txt:winpeas.exe

Open an elevated
cmd
and create a symbolic link
cd C:\Windows\System32
mklink wupdate.exe C:\Temp\windows_log.txt:winpeas.exe

Run
wupdate.exe
to launch thewinpeas.exe
payload from the Resource stream of the windows_log.txt file
wupdate
📌 Same as above procedure can be done with a malicious
msfvenom
payload.
Last updated
Was this helpful?