Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
title: Execute From Alternate Data Streams
id: 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c
status: test
description: Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
author: frack113
date: 2021-09-01
modified: 2022-10-09
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection_stream:
CommandLine|contains: 'txt:'
selection_tools_type:
CommandLine|contains|all:
- 'type '
- ' > '
selection_tools_makecab:
CommandLine|contains|all:
- 'makecab '
- '.cab'
selection_tools_reg:
CommandLine|contains|all:
- 'reg '
- ' export '
selection_tools_regedit:
CommandLine|contains|all:
- 'regedit '
- ' /E '
selection_tools_esentutl:
CommandLine|contains|all:
- 'esentutl '
- ' /y '
- ' /d '
- ' /o '
condition: selection_stream and (1 of selection_tools_*)
falsepositives:
- Unknown
level: medium
imProcessCreate
| where TargetProcessCommandLine contains "txt:" and ((TargetProcessCommandLine contains "type " and TargetProcessCommandLine contains " > ") or (TargetProcessCommandLine contains "makecab " and TargetProcessCommandLine contains ".cab") or (TargetProcessCommandLine contains "reg " and TargetProcessCommandLine contains " export ") or (TargetProcessCommandLine contains "regedit " and TargetProcessCommandLine contains " /E ") or (TargetProcessCommandLine contains "esentutl " and TargetProcessCommandLine contains " /y " and TargetProcessCommandLine contains " /d " and TargetProcessCommandLine contains " /o "))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |