Creation Of a Suspicious ADS File Outside a Browser Download

calendar Oct 18, 2023 · attack.defense_evasion  ·
Share on: linkedin copy

Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers

Sigma rule (View on GitHub)

 1title: Creation Of a Suspicious ADS File Outside a Browser Download
 2id: 573df571-a223-43bc-846e-3f98da481eca
 3status: experimental
 4description: Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers
 5references:
 6    - https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/
 7author: frack113
 8date: 2022/10/22
 9modified: 2023/06/12
10tags:
11    - attack.defense_evasion
12logsource:
13    product: windows
14    category: create_stream_hash
15detection:
16    selection:
17        Contents|startswith: '[ZoneTransfer]  ZoneId=3'
18        TargetFilename|endswith: ':Zone.Identifier'
19        TargetFilename|contains:
20            - '.exe'
21            - '.scr'
22            - '.bat'
23            - '.cmd'
24            - '.docx'
25            - '.hta'
26            - '.jse'
27            - '.lnk'
28            - '.pptx'
29            - '.ps'
30            - '.reg'
31            - '.sct'
32            - '.vb'
33            - '.wsc'
34            - '.wsf'
35            - '.xlsx'
36    filter_optional_brave:
37        Image|endswith: '\brave.exe'
38    filter_optional_chrome:
39        Image:
40            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
41            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
42    filter_optional_firefox:
43        Image:
44            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
45            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
46    filter_optional_ie:
47        Image:
48            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
49            - 'C:\Program Files\Internet Explorer\iexplore.exe'
50    filter_optional_maxthon:
51        Image|endswith: '\maxthon.exe'
52    filter_optional_edge_1:
53        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
54        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
55        - Image:
56              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
57              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
58    filter_optional_edge_2:
59        Image|startswith:
60            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
61            - 'C:\Program Files\Microsoft\EdgeCore\'
62        Image|endswith:
63            - '\msedge.exe'
64            - '\msedgewebview2.exe'
65    filter_optional_opera:
66        Image|endswith: '\opera.exe'
67    filter_optional_safari:
68        Image|endswith: '\safari.exe'
69    filter_optional_seamonkey:
70        Image|endswith: '\seamonkey.exe'
71    filter_optional_vivaldi:
72        Image|endswith: '\vivaldi.exe'
73    filter_optional_whale:
74        Image|endswith: '\whale.exe'
75    filter_optional_snipping_tool:
76        Image|startswith: 'C:\Program Files\WindowsApps\Microsoft.ScreenSketch_'
77        Image|endswith: '\SnippingTool\SnippingTool.exe'
78        TargetFilename|startswith: 'C:\Users\'
79        TargetFilename|contains|all:
80            - '\AppData\Local\Packages\Microsoft.ScreenSketch_'
81            - '\TempState\Screenshot '
82        TargetFilename|endswith: '.png:Zone.Identifier'
83    condition: selection and not 1 of filter_optional_*
84falsepositives:
85    - Other legitimate browsers not currently included in the filter (please add them)
86    - Legitimate downloads via scripting or command-line tools (Investigate to determine if it's legitimate)
87level: medium

References

Related rules

to-top