Hidden Executable In NTFS Alternate Data Stream
Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash
Sigma rule (View on GitHub)
1title: Hidden Executable In NTFS Alternate Data Stream
2id: b69888d4-380c-45ce-9cf9-d9ce46e67821
3status: test
4description: Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash
5references:
6 - https://twitter.com/0xrawsec/status/1002478725605273600?s=21
7author: Florian Roth (Nextron Systems), @0xrawsec
8date: 2018-06-03
9modified: 2023-02-10
10tags:
11 - attack.defense-evasion
12 - attack.s0139
13 - attack.t1564.004
14logsource:
15 product: windows
16 category: create_stream_hash
17 definition: 'Requirements: Sysmon or equivalent configured with Imphash logging'
18detection:
19 selection:
20 Hash|contains: 'IMPHASH='
21 filter_main_null:
22 Hash|contains: 'IMPHASH=00000000000000000000000000000000'
23 condition: selection and not 1 of filter_main_*
24falsepositives:
25 - This rule isn't looking for any particular binary characteristics. As legitimate installers and programs were seen embedding hidden binaries in their ADS. Some false positives are expected from browser processes and similar.
26level: medium
References
Related rules
- Execute From Alternate Data Streams
- Exports Registry Key To an Alternate Data Stream
- Insensitive Subfolder Search Via Findstr.EXE
- NTFS Alternate Data Stream
- Potential Rundll32 Execution With DLL Stored In ADS