Unusual File Creation - Alternate Data Stream

  1[metadata]
  2creation_date = "2021/01/21"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2026/04/30"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies suspicious creation of Alternate Data Streams on highly targeted files using a script or command interpreter.
 11This is uncommon for legitimate files and sometimes done by adversaries to hide malware.
 12"""
 13from = "now-9m"
 14index = [
 15    "winlogbeat-*",
 16    "logs-endpoint.events.file-*",
 17    "logs-windows.sysmon_operational-*",
 18    "logs-m365_defender.event-*",
 19    "logs-sentinel_one_cloud_funnel.*",
 20    "endgame-*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Unusual File Creation - Alternate Data Stream"
 25risk_score = 73
 26rule_id = "71bccb61-e19b-452f-b104-79a60e546a95"
 27severity = "high"
 28tags = [
 29    "Domain: Endpoint",
 30    "OS: Windows",
 31    "Use Case: Threat Detection",
 32    "Tactic: Defense Evasion",
 33    "Resources: Investigation Guide",
 34    "Data Source: Elastic Defend",
 35    "Data Source: Sysmon",
 36    "Data Source: Microsoft Defender XDR",
 37    "Data Source: SentinelOne",
 38    "Data Source: Elastic Endgame",
 39]
 40timestamp_override = "event.ingested"
 41type = "eql"
 42
 43query = '''
 44file where host.os.type == "windows" and event.type == "creation" and
 45   process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe", "cscript.exe", "node.exe", "python*.exe") and
 46   file.extension in~ (
 47    "pdf", "dll", "exe", "dat", "com", "bat", "cmd", "sys", "vbs", "vbe", "ps1", "hta", "txt", "js", "jse",
 48    "wsh", "wsf", "sct", "docx", "doc", "xlsx", "xls", "pptx", "ppt", "rtf", "gif", "jpg", "png", "bmp", "img", "iso"
 49  ) and
 50  file.path : "C:\\*:*" and
 51  not file.name :("*:$DATA", "*PG$Secure", "*Zone.Identifier", "*com.apple.lastuseddate#PS", "*com.apple.provenance")
 52'''
 53
 54note = """## Triage and analysis
 55
 56### Investigating Unusual File Creation - Alternate Data Stream
 57#### Possible investigation steps
 58
 59- What ADS target did the alert create?
 60  - Focus: `file.path`, `file.extension`, `file.size`, and the stream suffix after the base file.
 61  - Implication: escalate when a command or script interpreter writes ADS on an executable, script, user document, or disk-image host file with a payload-like, DLL-like, or config-like stream name; lower concern only when stream name and file class match a narrow classification, tagging, or packaging marker.
 62
 63- Does stream metadata or collected content look like payload material?
 64  - Focus: `file.size`, `file.Ext.header_bytes`, `file.Ext.entropy`, and collected ADS content when available.
 65  - Hint: retrieve raw ADS content with "Get-Content -Path <host_file> -Stream <stream_name>" or collect the host file before cleanup; without content, do not close from absence.
 66  - Implication: escalate for script text, encoded blobs, PE bytes, launcher syntax, or execution configuration; if content cannot be recovered, keep unresolved unless lineage, staging, or reuse proves the answer. Lower concern requires small, readable classification, package, validation, or test metadata.
 67
 68- How was the creating interpreter launched?
 69  - Focus: `process.executable`, `process.command_line`, `process.parent.executable`, `process.parent.command_line`, and `process.code_signature.subject_name`. $investigate_2
 70  - Implication: escalate when launched by a document, browser, user-writable binary, unusual parent command, or command line that writes hidden content; lower concern when identity, parent, command line, and user-host scope match a recognized tagging, packaging, or validation workflow.
 71
 72- Did the creating process stage, rename, or clean up supporting files?
 73  - Focus: same-process file events on `host.id` and `process.entity_id`: `file.path`, `file.extension`, and `file.size`. $investigate_3
 74  - Implication: escalate when the same process drops executables or scripts, renames content into a deceptive path, deletes staging material, or writes related ADS artifacts; lower concern when file activity stays limited to the expected file set and stream metadata pattern.
 75
 76- Did later commands reuse the ADS path or base file?
 77  - Why: ADS creation becomes decisive when a later command uses file:path:stream syntax or a helper consumes hidden content.
 78  - Focus: later process events on `host.id` and `user.id` where `process.command_line` references the ADS path, base path, or stream name; include `process.executable` and `process.parent.executable`. $investigate_4
 79  - Hint: search first for the literal ADS path, then the base path and stream name separately if quoting or escaping differs.
 80  - Implication: escalate when later commands read, execute, copy, extract, or persist from ADS; if no reuse appears, keep unresolved unless content and lineage prove benign metadata use.
 81
 82- Does the ADS pattern recur broadly enough to change scope?
 83  - Focus: smallest stable suspicious indicator, such as stream name, `file.path` pattern, `process.executable`, or `process.command_line`, plus `host.id` and `user.id` scope.
 84  - Hint: review host-related alerts for matching ADS or interpreter patterns. $investigate_1
 85  - Hint: review user-related alerts before treating activity as one-host. $investigate_0
 86  - Implication: broaden containment and scoping when unrelated hosts or users share the ADS pattern; keep scope local only when local content, lineage, and reuse are resolved or the pattern remains confined to one unresolved host.
 87
 88- Escalate for hidden payload staging, ADS execution, suspicious cleanup, or spread beyond the first host; close only when ADS path/content, command lines, parent lineage, same-process file activity, and `host.id`/`user.id` scope prove one exact marker-writing or lab workflow with no contradictory reuse; preserve artifacts and escalate when answers stay mixed or incomplete.
 89
 90### False positive analysis
 91
 92- Data-classification, packaging, or validation tools can legitimately create small ADS markers on fixed file classes. Confirm identity (`process.executable`, `process.code_signature.subject_name`, parent command line), artifacts (`file.path`, stream name, readable marker content), and scope (`host.id`, `user.id`, host cohort) all align with one exact workflow; if workflow records are unavailable, require prior alerts with the same process identity, parent command line, stream name, file class, and host cohort.
 93- Controlled security testing or forensic labs can place samples or markers in ADS on isolated systems. Confirm the same `process.executable`, `process.command_line`, `file.path`, stream name, and lab host cohort, and no later execution or persistence from ADS; if test plans are unavailable, require repeated bounded testing patterns. Do not create exceptions on `process.name` or `file.extension` alone.
 94
 95### Response and remediation
 96
 97- If confirmed benign:
 98  - Document the evidence that established the workflow before changing response state: `process.executable`, `process.command_line`, parent command line, `file.path` pattern, stream name, stream content type, and the `host.id` or `host.name` cohort. Then reverse temporary containment. Build exceptions only from the minimum confirmed pattern, not from a generic interpreter or file-extension condition.
 99- If suspicious but unconfirmed:
100  - Preserve the exact ADS path, base host file, recovered stream content or computed hash, process timeline, `process.entity_id`, `process.pid`, `process.command_line`, `process.parent.command_line`, and same-process file events before cleanup.
101  - Apply reversible containment tied to the findings, such as heightened monitoring, execution restrictions for the affected interpreter, or temporary containment of the affected `host.id`; avoid deleting the stream or base file until evidence is collected.
102  - Escalate to host isolation only if ADS reuse, payload-like content, suspicious cleanup, or continued staging shows active risk and the asset can tolerate isolation.
103- If confirmed malicious:
104  - Use endpoint response to isolate the host after preserving the ADS path, base file, stream content, process timeline, command lines, parent lineage, and related file artifacts. If direct endpoint response is unavailable, hand off that evidence set to the team that can contain the host.
105  - Review other hosts and users for the same stream name, ADS path pattern, `process.executable`, or `process.command_line` before deleting the stream, removing the base file, or terminating related processes.
106  - Remove the malicious stream, launched payloads, staging files, and the entry vector that created them, then remediate any persistence or delivery path identified during the investigation.
107- Post-incident hardening:
108  - Keep process and file telemetry enabled for the affected host class, and record recurring ADS naming or interpreter patterns for future triage.
109  - Restrict or monitor interpreter workflows that create ADS on high-value file types when that behavior is not required for the host role.
110"""
111
112setup = """## Setup
113
114This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
115
116Setup instructions: https://ela.st/install-elastic-defend
117
118### Additional data sources
119
120This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
121
122- [Microsoft Defender XDR](https://ela.st/m365-defender)
123- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
124- [Sysmon Event ID 15 - FileCreateStreamHash](https://ela.st/sysmon-event-15-setup)
125"""
126
127[rule.investigation_fields]
128field_names = [
129    "@timestamp",
130    "host.name",
131    "host.id",
132    "user.name",
133    "user.id",
134    "process.parent.executable",
135    "process.entity_id",
136    "process.pid",
137    "process.name",
138    "process.executable",
139    "process.command_line",
140    "file.path",
141    "file.name",
142    "file.extension",
143    "file.size",
144]
145
146[transform]
147
148[[transform.investigate]]
149label = "Alerts associated with the user"
150description = ""
151providers = [
152  [
153    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
154    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
155  ]
156]
157relativeFrom = "now-48h/h"
158relativeTo = "now"
159
160[[transform.investigate]]
161label = "Alerts associated with the host"
162description = ""
163providers = [
164  [
165    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
166    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
167  ]
168]
169relativeFrom = "now-48h/h"
170relativeTo = "now"
171
172[[transform.investigate]]
173label = "Process events for the same process"
174description = ""
175providers = [
176  [
177    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
178    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
179    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" }
180  ]
181]
182relativeFrom = "now-1h"
183relativeTo = "now"
184
185[[transform.investigate]]
186label = "File events for the same process"
187description = ""
188providers = [
189  [
190    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
191    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
192    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
193  ]
194]
195relativeFrom = "now-1h"
196relativeTo = "now"
197
198[[transform.investigate]]
199label = "Process events for the same host and user"
200description = ""
201providers = [
202  [
203    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
204    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
205    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
206  ]
207]
208relativeFrom = "now-1h"
209relativeTo = "now"
210
211[[rule.threat]]
212framework = "MITRE ATT&CK"
213[[rule.threat.technique]]
214id = "T1564"
215name = "Hide Artifacts"
216reference = "https://attack.mitre.org/techniques/T1564/"
217[[rule.threat.technique.subtechnique]]
218id = "T1564.004"
219name = "NTFS File Attributes"
220reference = "https://attack.mitre.org/techniques/T1564/004/"
221
222[rule.threat.tactic]
223id = "TA0005"
224name = "Defense Evasion"
225reference = "https://attack.mitre.org/tactics/TA0005/"