Hidden Executable In NTFS Alternate Data Stream
Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash
Sigma rule (View on GitHub)
1title: Hidden Executable In NTFS Alternate Data Stream
2id: b69888d4-380c-45ce-9cf9-d9ce46e67821
3status: test
4description: Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash
5references:
6 - https://twitter.com/0xrawsec/status/1002478725605273600?s=21
7author: Florian Roth (Nextron Systems), @0xrawsec
8date: 2018/06/03
9modified: 2023/02/10
10tags:
11 - attack.defense_evasion
12 - attack.s0139
13 - attack.t1564.004
14logsource:
15 product: windows
16 category: create_stream_hash
17 definition: 'Requirements: Sysmon or equivalent configured with Imphash logging'
18detection:
19 selection:
20 Hash|contains: 'IMPHASH='
21 filter_main_null:
22 Hash|contains: 'IMPHASH=00000000000000000000000000000000'
23 condition: selection and not 1 of filter_main_*
24falsepositives:
25 - This rule isn't looking for any particular binary characteristics. As legitimate installers and programs were seen embedding hidden binaries in their ADS. Some false positives are expected from browser processes and similar.
26level: medium
References
Related rules
- Execute From Alternate Data Streams
- Run PowerShell Script from ADS
- NTFS Alternate Data Stream
- Powershell Store File In Alternate Data Stream
- Suspicious Extrac32 Alternate Data Stream Execution