Execute From Alternate Data Streams
Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
Sigma rule (View on GitHub)
1title: Execute From Alternate Data Streams
2id: 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c
3status: test
4description: Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
7author: frack113
8date: 2021/09/01
9modified: 2022/10/09
10tags:
11 - attack.defense_evasion
12 - attack.t1564.004
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_stream:
18 CommandLine|contains: 'txt:'
19 selection_tools_type:
20 CommandLine|contains|all:
21 - 'type '
22 - ' > '
23 selection_tools_makecab:
24 CommandLine|contains|all:
25 - 'makecab '
26 - '.cab'
27 selection_tools_reg:
28 CommandLine|contains|all:
29 - 'reg '
30 - ' export '
31 selection_tools_regedit:
32 CommandLine|contains|all:
33 - 'regedit '
34 - ' /E '
35 selection_tools_esentutl:
36 CommandLine|contains|all:
37 - 'esentutl '
38 - ' /y '
39 - ' /d '
40 - ' /o '
41 condition: selection_stream and (1 of selection_tools_*)
42falsepositives:
43 - Unknown
44level: medium
References
Related rules
- Run PowerShell Script from ADS
- NTFS Alternate Data Stream
- Powershell Store File In Alternate Data Stream
- Suspicious Extrac32 Alternate Data Stream Execution
- Suspicious Diantz Alternate Data Stream Execution