Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI

Oct 28, 2023 · attack.defense_evasion attack.t1564.004 ·

Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"

Sigma rule (View on GitHub)

 1title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
 2id: 0900463c-b33b-49a8-be1d-552a3b553dae
 3related:
 4    - id: a8f866e1-bdd4-425e-a27a-37619238d9c7
 5      type: similar
 6status: experimental
 7description: |
 8        Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"
 9references:
10    - https://twitter.com/pfiatde/status/1681977680688738305
11    - https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/
12    - https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/
13    - https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation
14    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
15author: Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl)
16date: 2023/10/09
17tags:
18    - attack.defense_evasion
19    - attack.t1564.004
20logsource:
21    product: windows
22    category: process_creation
23detection:
24    selection:
25        # Note: Both Sysmon and ETW are unable to log the presence of such stream in the CommandLine. But EDRs such as Crowdstrike are able to using for example CMD console history. Users are advised to test this before usage
26        CommandLine|contains: '::$index_allocation'
27    condition: selection
28falsepositives:
29    - Unlikely
30level: medium

References

Something went wrong, but don’t fret — let’s give it another shot.

Read More
https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/

Read More
Pentester’S Windows NTFS Tricks Collection

In this blog post René Freingruber (@ReneFreingruber) from the SEC Consult Vulnerability Lab shares different filesystem tricks which were collected over the last years from various blog posts or found by himself.

Read More
atomic-red-team/atomics/T1564.004/T1564.004.md at 5c3b23002d2bbede3c07e7307165fc2a235a427d · redcanaryco/atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

Read More
[MS-FSCC]: NTFS Streams

All files on an NTFS volume consist of at least one stream - the main stream – this is the normal, viewable file in which data is stored. The

Read More

Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI

Sigma rule (View on GitHub)

References

https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/

Pentester’S Windows NTFS Tricks Collection

atomic-red-team/atomics/T1564.004/T1564.004.md at 5c3b23002d2bbede3c07e7307165fc2a235a427d · redcanaryco/atomic-red-team

[MS-FSCC]: NTFS Streams

Related rules