.. /Sc.exe
Star

Alternate data streams

Used by Windows to manage services

Paths:

C:\Windows\System32\sc.exe
C:\Windows\SysWOW64\sc.exe

Resources:

https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/

Acknowledgements:

Oddvar Moe (@oddvarmoe)

Detection:

Alternate data streams

Creates a new service and executes the file stored in the ADS.
```
sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice
```
Use case
Execute binary file hidden inside an alternate data stream

Privileges required
User

Operating systems
Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

ATT&CK® technique
T1564.004
Modifies an existing service and executes the file stored in the ADS.
```
sc config <existing> binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" & sc start <existing>
```
Use case
Execute binary file hidden inside an alternate data stream

Privileges required
User

Operating systems
Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

ATT&CK® technique
T1564.004