Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"
Sigma rule (View on GitHub)
1title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
2id: 0900463c-b33b-49a8-be1d-552a3b553dae
3related:
4 - id: a8f866e1-bdd4-425e-a27a-37619238d9c7
5 type: similar
6status: test
7description: |
8 Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"
9references:
10 - https://twitter.com/pfiatde/status/1681977680688738305
11 - https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/
12 - https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/
13 - https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation
14 - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
15author: Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl)
16date: 2023-10-09
17tags:
18 - attack.defense-evasion
19 - attack.t1564.004
20logsource:
21 product: windows
22 category: process_creation
23detection:
24 selection:
25 # Note: Both Sysmon and ETW are unable to log the presence of such stream in the CommandLine. But EDRs such as Crowdstrike are able to using for example CMD console history. Users are advised to test this before usage
26 CommandLine|contains: '::$index_allocation'
27 condition: selection
28falsepositives:
29 - Unlikely
30level: medium
References
Related rules
- Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
- Hidden Flag Set On File/Directory Via Chflags - MacOS
- Execute From Alternate Data Streams
- Exports Registry Key To an Alternate Data Stream
- Hidden Executable In NTFS Alternate Data Stream