Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"
Sigma rule (View on GitHub)
1title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
2id: a8f866e1-bdd4-425e-a27a-37619238d9c7
3related:
4 - id: 0900463c-b33b-49a8-be1d-552a3b553dae
5 type: similar
6status: experimental
7description: |
8 Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"
9references:
10 - https://twitter.com/pfiatde/status/1681977680688738305
11 - https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/
12 - https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/
13 - https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation
14 - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
15author: Scoubi (@ScoubiMtl)
16date: 2023/10/09
17tags:
18 - attack.defense_evasion
19 - attack.t1564.004
20logsource:
21 product: windows
22 category: file_event
23detection:
24 selection:
25 # Note: Both Sysmon and ETW are unable to log the presence of such streams in the CommandLine. But EDRs such as Crowdstrike are able to use e.g. CMD console history. Users are advised to test this before usage
26 TargetFilename|contains: '::$index_allocation'
27 condition: selection
28falsepositives:
29 - Unlikely
30level: medium
References
Related rules
- Use NTFS Short Name in Image
- Hidden Executable In NTFS Alternate Data Stream
- Execute From Alternate Data Streams
- Run PowerShell Script from ADS
- NTFS Alternate Data Stream