Powershell Store File In Alternate Data Stream
Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
Sigma rule (View on GitHub)
1title: Powershell Store File In Alternate Data Stream
2id: a699b30e-d010-46c8-bbd1-ee2e26765fe9
3status: test
4description: Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
7author: frack113
8date: 2021/09/02
9modified: 2022/12/25
10tags:
11 - attack.defense_evasion
12 - attack.t1564.004
13logsource:
14 product: windows
15 category: ps_script
16 definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18 selection_compspec:
19 ScriptBlockText|contains|all:
20 - 'Start-Process'
21 - '-FilePath "$env:comspec" '
22 - '-ArgumentList '
23 - '>'
24 condition: selection_compspec
25falsepositives:
26 - Unknown
27level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- NTFS Alternate Data Stream
- Suspicious Extrac32 Alternate Data Stream Execution
- Suspicious Diantz Alternate Data Stream Execution
- Exports Registry Key To an Alternate Data Stream
- Clearing Windows Console History