Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream

calendar Oct 12, 2023 · attack.defense_evasion attack.t1564.004  ·
Share on: linkedin copy

Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"

Sigma rule (View on GitHub)

 1title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
 2id: a8f866e1-bdd4-425e-a27a-37619238d9c7
 3related:
 4    - id: 0900463c-b33b-49a8-be1d-552a3b553dae
 5      type: similar
 6status: experimental
 7description: |
 8        Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"
 9references:
10    - https://twitter.com/pfiatde/status/1681977680688738305
11    - https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/
12    - https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/
13    - https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation
14    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
15author: Scoubi (@ScoubiMtl)
16date: 2023/10/09
17tags:
18    - attack.defense_evasion
19    - attack.t1564.004
20logsource:
21    product: windows
22    category: file_event
23detection:
24    selection:
25        # Note: Both Sysmon and ETW are unable to log the presence of such streams in the CommandLine. But EDRs such as Crowdstrike are able to use e.g. CMD console history. Users are advised to test this before usage
26        TargetFilename|contains: '::$index_allocation'
27    condition: selection
28falsepositives:
29    - Unlikely
30level: medium

References

Related rules

to-top