Execute From Alternate Data Streams
Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
Sigma rule (View on GitHub)
1title: Execute From Alternate Data Streams
2id: 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c
3status: test
4description: Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
7author: frack113
8date: 2021-09-01
9modified: 2022-10-09
10tags:
11 - attack.defense-evasion
12 - attack.t1564.004
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_stream:
18 CommandLine|contains: 'txt:'
19 selection_tools_type:
20 CommandLine|contains|all:
21 - 'type '
22 - ' > '
23 selection_tools_makecab:
24 CommandLine|contains|all:
25 - 'makecab '
26 - '.cab'
27 selection_tools_reg:
28 CommandLine|contains|all:
29 - 'reg '
30 - ' export '
31 selection_tools_regedit:
32 CommandLine|contains|all:
33 - 'regedit '
34 - ' /E '
35 selection_tools_esentutl:
36 CommandLine|contains|all:
37 - 'esentutl '
38 - ' /y '
39 - ' /d '
40 - ' /o '
41 condition: selection_stream and (1 of selection_tools_*)
42falsepositives:
43 - Unknown
44level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Exports Registry Key To an Alternate Data Stream
- Hidden Executable In NTFS Alternate Data Stream
- Insensitive Subfolder Search Via Findstr.EXE
- NTFS Alternate Data Stream
- Potential Rundll32 Execution With DLL Stored In ADS