Powershell Store File In Alternate Data Stream
Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
Sigma rule (View on GitHub)
1title: Powershell Store File In Alternate Data Stream
2id: a699b30e-d010-46c8-bbd1-ee2e26765fe9
3status: test
4description: Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
7author: frack113
8date: 2021-09-02
9modified: 2022-12-25
10tags:
11 - attack.defense-evasion
12 - attack.t1564.004
13logsource:
14 product: windows
15 category: ps_script
16 definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18 selection_compspec:
19 ScriptBlockText|contains|all:
20 - 'Start-Process'
21 - '-FilePath "$env:comspec" '
22 - '-ArgumentList '
23 - '>'
24 condition: selection_compspec
25falsepositives:
26 - Unknown
27level: medium
References
Related rules
- Execute From Alternate Data Streams
- Exports Registry Key To an Alternate Data Stream
- HackTool Named File Stream Created
- Hidden Executable In NTFS Alternate Data Stream
- Insensitive Subfolder Search Via Findstr.EXE