From Abusive Directory Syndrome: Streams can contain executable content, although some operating systems try to block some methods of execution of stream content. For more info, see http://hinchley.net/2013/11/01/ntfs-alternate-data-streams/. Rundll32.exe doesn't block execution of stream DLL content though, according to https://phrozensoft.com/2015/06/phrozen-ads-revealer-catch-alternate-data-stream-2. Some types of security checks that might be bypassed: 1. User Account Control UIAccess secure folder check. 2. AppLocker path-based exceptions. The POC in the link in 1. runs a stream-located executable in c:\windows\tracing, even though my AppLocker rules explicitly ban execution in that folder.
Is this the one fixed in Windows 10? I followed POC steps but keep getting Status 0 Error 8235 on Windows 10.
I doubt it's been fixed in Windows 10 but I don't know for sure. From https://code.google.com/p/google-security-research/issues/detail?id=220: