create_stream_hash

Apr 28, 2026 · attack.stealth ·

Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers

Apr 28, 2026 · attack.stealth attack.t1564.004 ·

Exports the target Registry key and hides it in the specified alternate data stream.

Detects the creation of a named file stream with the imphash of a well-known hack tool

Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash

Apr 28, 2026 · attack.persistence attack.stealth ·

Detects potential suspicious winget package installation from a suspicious source.

Apr 28, 2026 · attack.stealth ·

Detects the download of a file with a potentially suspicious extension from a .zip top level domain.

Detects the download of suspicious file type from a well-known file and paste sharing domain

Apr 28, 2026 · attack.stealth attack.t1564.004 ·

Detects the download of suspicious file type from URLs with IP

Detects the download of suspicious file type from a well-known file and paste sharing domain