Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream

title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
id: a8f866e1-bdd4-425e-a27a-37619238d9c7
related:
    - id: 0900463c-b33b-49a8-be1d-552a3b553dae
      type: similar
status: test
description: |
    Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"
references:
    - https://twitter.com/pfiatde/status/1681977680688738305
    - https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/
    - https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/
    - https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
author: Scoubi (@ScoubiMtl)
date: 2023-10-09
tags:
    - attack.defense-evasion
    - attack.t1564.004
logsource:
    product: windows
    category: file_event
detection:
    selection:
        # Note: Both Sysmon and ETW are unable to log the presence of such streams in the CommandLine. But EDRs such as Crowdstrike are able to use e.g. CMD console history. Users are advised to test this before usage
        TargetFilename|contains: '::$index_allocation'
    condition: selection
falsepositives:
    - Unlikely
level: medium