From Abusive Directory Syndrome: Streams can contain executable content, although some operating systems try to block some methods of execution of stream content. For more info, see http://hinchley.net/2013/11/01/ntfs-alternate-data-streams/. Rundll32.exe doesn't block execution of stream DLL content though, according to https://phrozensoft.com/2015/06/phrozen-ads-revealer-catch-alternate-data-stream-2. Some types of security checks that might be bypassed: 1. User Account Control UIAccess secure folder check. 2. AppLocker path-based exceptions. The POC in the link in 1. runs a stream-located executable in c:\windows\tracing, even though my AppLocker rules explicitly ban execution in that folder.