Alternate Data Stream Creation/Execution at Volume Root Directory

  1[metadata]
  2creation_date = "2024/03/14"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the creation of an Alternate Data Stream (ADS) at a volume root directory, which can indicate the attempt to
 11hide tools and malware, as ADSs created in this directory are not displayed by system utilities.
 12"""
 13from = "now-9m"
 14index = [
 15    "winlogbeat-*",
 16    "logs-endpoint.events.process-*",
 17    "logs-endpoint.events.file-*",
 18    "logs-windows.sysmon_operational-*",
 19    "logs-m365_defender.event-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21    "endgame-*",
 22]
 23language = "eql"
 24license = "Elastic License v2"
 25name = "Alternate Data Stream Creation/Execution at Volume Root Directory"
 26note = """## Triage and analysis
 27
 28> **Disclaimer**:
 29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 30
 31### Investigating Alternate Data Stream Creation/Execution at Volume Root Directory
 32
 33Alternate Data Streams (ADS) in Windows allow files to contain multiple streams of data, which can be exploited by adversaries to conceal malicious tools or data. By creating or executing ADS at the root of a volume, attackers can evade detection by standard system utilities. The detection rule identifies suspicious ADS activity by monitoring file creation and process execution patterns at the volume root, flagging potential defense evasion attempts.
 34
 35### Possible investigation steps
 36
 37- Review the alert details to identify the specific file path or process executable that triggered the alert, focusing on the volume root directory pattern [A-Z]:\\\\:.
 38- Check the file or process creation timestamp to determine when the suspicious activity occurred and correlate it with other events or activities on the system around the same time.
 39- Investigate the file or process owner and the user account associated with the activity to assess if it aligns with expected behavior or if it indicates potential unauthorized access.
 40- Examine the file or process for known indicators of compromise (IOCs) or signatures of malicious activity using threat intelligence sources or antivirus tools.
 41- Analyze the system for additional signs of compromise, such as unexpected network connections, registry changes, or other suspicious files, to determine if the ADS activity is part of a larger attack.
 42- Review system logs and security tools for any related alerts or anomalies that could provide further context or evidence of malicious intent.
 43
 44### False positive analysis
 45
 46- System utilities or legitimate applications may create ADS at the volume root for benign purposes, such as storing metadata or configuration data. Review the source of the ADS creation to determine if it is associated with known safe applications.
 47- Backup or disk management software might use ADS to store additional information about files. Verify if the detected activity aligns with scheduled backup operations or disk management tasks.
 48- Some security tools or system monitoring applications may use ADS for logging or tracking purposes. Cross-reference the process or file path with known security tools to rule out false positives.
 49- If a specific application is consistently triggering alerts due to its use of ADS, consider creating an exception for that application's process or file path in your monitoring solution to reduce noise.
 50- Regularly update your list of known safe applications and processes that interact with ADS to ensure that legitimate activities are not flagged as suspicious.
 51
 52### Response and remediation
 53
 54- Immediately isolate the affected system from the network to prevent further spread or communication with potential command and control servers.
 55- Use endpoint detection and response (EDR) tools to terminate any suspicious processes associated with the identified ADS activity.
 56- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any hidden malicious files or tools.
 57- Review and delete any unauthorized or suspicious ADS found at the volume root directory to eliminate potential hiding places for malware.
 58- Restore affected files from a known good backup to ensure system integrity and remove any compromised data.
 59- Monitor network traffic for unusual patterns or connections that may indicate ongoing malicious activity or data exfiltration attempts.
 60- Escalate the incident to the security operations center (SOC) or relevant IT security team for further investigation and to assess the need for broader organizational response measures."""
 61references = ["https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/"]
 62risk_score = 47
 63rule_id = "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029"
 64severity = "medium"
 65tags = [
 66    "Domain: Endpoint",
 67    "OS: Windows",
 68    "Use Case: Threat Detection",
 69    "Tactic: Defense Evasion",
 70    "Data Source: Elastic Defend",
 71    "Data Source: Sysmon",
 72    "Data Source: Microsoft Defender for Endpoint",
 73    "Data Source: SentinelOne",
 74    "Data Source: Elastic Endgame",
 75    "Resources: Investigation Guide",
 76]
 77timestamp_override = "event.ingested"
 78type = "eql"
 79
 80query = '''
 81any where host.os.type == "windows" and event.category in ("file", "process") and
 82  (
 83    (event.type == "creation" and file.path regex~ """[A-Z]:\\:.+""") or
 84    (event.type == "start" and process.executable regex~ """[A-Z]:\\:.+""")
 85  )
 86'''
 87
 88
 89[[rule.threat]]
 90framework = "MITRE ATT&CK"
 91[[rule.threat.technique]]
 92id = "T1564"
 93name = "Hide Artifacts"
 94reference = "https://attack.mitre.org/techniques/T1564/"
 95[[rule.threat.technique.subtechnique]]
 96id = "T1564.004"
 97name = "NTFS File Attributes"
 98reference = "https://attack.mitre.org/techniques/T1564/004/"
 99
100
101
102[rule.threat.tactic]
103id = "TA0005"
104name = "Defense Evasion"
105reference = "https://attack.mitre.org/tactics/TA0005/"