research poc
Windows Defender Bypass Using Alternate Data Stream Shellcode LoaderShellcode-Loader-with-ADS
A proof-of-concept demonstrates bypassing Windows Defender by storing raw shellcode in an NTFS Alternate Data Stream (ADS) attached to a legitimate file. The loader reads and executes the shellcode from the ADS, evading static detection because Defender scans only the primary file stream. This technique reduces on-disk footprint and complicates forensic analysis.