← Back to Explore
sigmamediumHunting
Execute From Alternate Data Streams
Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
Detection Query
selection_stream:
CommandLine|contains: "txt:"
selection_tools_type:
CommandLine|contains|all:
- "type "
- " > "
selection_tools_makecab:
CommandLine|contains|all:
- "makecab "
- .cab
selection_tools_reg:
CommandLine|contains|all:
- "reg "
- " export "
selection_tools_regedit:
CommandLine|contains|all:
- "regedit "
- " /E "
selection_tools_esentutl:
CommandLine|contains|all:
- "esentutl "
- " /y "
- " /d "
- " /o "
condition: selection_stream and (1 of selection_tools_*)
Author
frack113
Created
2021-09-01
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.defense-evasionattack.t1564.004
Raw Content
title: Execute From Alternate Data Streams
id: 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c
status: test
description: Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
author: frack113
date: 2021-09-01
modified: 2022-10-09
tags:
- attack.defense-evasion
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection_stream:
CommandLine|contains: 'txt:'
selection_tools_type:
CommandLine|contains|all:
- 'type '
- ' > '
selection_tools_makecab:
CommandLine|contains|all:
- 'makecab '
- '.cab'
selection_tools_reg:
CommandLine|contains|all:
- 'reg '
- ' export '
selection_tools_regedit:
CommandLine|contains|all:
- 'regedit '
- ' /E '
selection_tools_esentutl:
CommandLine|contains|all:
- 'esentutl '
- ' /y '
- ' /d '
- ' /o '
condition: selection_stream and (1 of selection_tools_*)
falsepositives:
- Unknown
level: medium