EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

Windows Alternate DataStream - Process Execution

The following analytic detects when a process attempts to execute a file from within an NTFS file system alternate data stream. This detection leverages process execution data from sources like Windows process monitoring or Sysmon Event ID 1, focusing on specific processes known for such behavior. This activity is significant because alternate data streams can be used by threat actors to hide malicious code, making it difficult to detect. If confirmed malicious, this could allow an attacker to execute hidden code, potentially leading to unauthorized actions and further compromise of the system.

MITRE ATT&CK

T1564.004

Detection Query

| tstats count min(_time) as firstTime max(_time) as lastTime values(Processes.process_current_directory) as directory
from datamodel=Endpoint.Processes where
Processes.parent_process_name != "unknown"
Processes.process_name IN (
    "appvlp.exe",
    "bitsadmin.exe",
    "control.exe",
    "cscript.exe",
    "forfiles.exe",
    "ftp.exe",
    "mavinject.exe",
    "mshta.exe",
    "powershell_ise.exe",
    "powershell.exe",
    "pwsh.exe",
    "regini.exe",
    "regscr32.exe",
    "rundll32.exe",
    "sc.exe",
    "wmic.exe",
    "wscript.exe"
)

by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
   Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
   Processes.parent_process_name Processes.parent_process_path Processes.process
   Processes.process_exec Processes.process_guid Processes.process_hash
   Processes.process_id Processes.process_integrity_level Processes.process_name
   Processes.process_path Processes.user Processes.user_id Processes.vendor_product

| `drop_dm_object_name(Processes)`
| regex process="(\b)\w+(\.\w+)?:\w+(\.\w{2,4})(?!\.)(\b|\s|&)"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_alternate_datastream___process_execution_filter`

Author

Steven Dick

Created

2026-03-10

Data Sources

Windows Event Log Security 4688Sysmon EventID 1

References

Tags

Compromised Windows HostWindows Defense Evasion Tactics
Raw Content
name: Windows Alternate DataStream - Process Execution
id: 30c32c5c-41fe-45db-84fe-275e4320da3f
version: 10
date: '2026-03-10'
author: Steven Dick
status: production
type: TTP
description: The following analytic detects when a process attempts to execute a file from within an NTFS file system alternate data stream. This detection leverages process execution data from sources like Windows process monitoring or Sysmon Event ID 1, focusing on specific processes known for such behavior. This activity is significant because alternate data streams can be used by threat actors to hide malicious code, making it difficult to detect. If confirmed malicious, this could allow an attacker to execute hidden code, potentially leading to unauthorized actions and further compromise of the system.
data_source:
    - Windows Event Log Security 4688
    - Sysmon EventID 1
search: |-
    | tstats count min(_time) as firstTime max(_time) as lastTime values(Processes.process_current_directory) as directory
    from datamodel=Endpoint.Processes where
    Processes.parent_process_name != "unknown"
    Processes.process_name IN (
        "appvlp.exe",
        "bitsadmin.exe",
        "control.exe",
        "cscript.exe",
        "forfiles.exe",
        "ftp.exe",
        "mavinject.exe",
        "mshta.exe",
        "powershell_ise.exe",
        "powershell.exe",
        "pwsh.exe",
        "regini.exe",
        "regscr32.exe",
        "rundll32.exe",
        "sc.exe",
        "wmic.exe",
        "wscript.exe"
    )

    by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
       Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
       Processes.parent_process_name Processes.parent_process_path Processes.process
       Processes.process_exec Processes.process_guid Processes.process_hash
       Processes.process_id Processes.process_integrity_level Processes.process_name
       Processes.process_path Processes.user Processes.user_id Processes.vendor_product

    | `drop_dm_object_name(Processes)`
    | regex process="(\b)\w+(\.\w+)?:\w+(\.\w{2,4})(?!\.)(\b|\s|&)"
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `windows_alternate_datastream___process_execution_filter`
how_to_implement: Target environment must ingest process execution data sources such as Windows process monitoring and/or Sysmon EventID 1.
known_false_positives: False positives may be generated by process executions within the commandline, regex has been provided to minimize the possibilty.
references:
    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
    - https://car.mitre.org/analytics/CAR-2020-08-001/
    - https://blogs.juniper.net/en-us/threat-research/bitpaymer-ransomware-hides-behind-windows-alternate-data-streams
    - https://blog.netwrix.com/2022/12/16/alternate_data_stream/
drilldown_searches:
    - name: View the detection results for - "$dest$" and "$user$"
      search: '%original_detection_search% | search  dest = "$dest$" user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$" and "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: The $process_name$ process was executed by $user$ using data from an NTFS alternate data stream.
    risk_objects:
        - field: dest
          type: system
          score: 50
        - field: user
          type: user
          score: 50
    threat_objects:
        - field: process_name
          type: process_name
tags:
    analytic_story:
        - Compromised Windows Host
        - Windows Defense Evasion Tactics
    asset_type: Endpoint
    mitre_attack_id:
        - T1564.004
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse_sysmon.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog