Unusual Process Execution via Alternate Data Streams
Adversaries may use Alternate Data Streams (ADS) to hide malicious executables and execute them, evading traditional detection methods by concealing the file's true nature.
Attackers leverage Alternate Data Streams (ADS) within the NTFS file system to conceal malicious code and executables. By storing executables within the ADS of seemingly benign files, attackers can bypass security measures that rely on standard file analysis. This technique, actively used in the wild, involves executing processes directly from the ADS, making it difficult to detect via conventional methods. This behavior has been observed across multiple attack vectors and affects all versions of the Windows operating system. Detecting this activity is critical as it signifies a deliberate attempt to evade security controls and potentially execute malicious code within the environment.
Attack Chain
- An attacker gains initial access to the system through various means (e.g., phishing, exploitation of vulnerabilities).
- The attacker uploads or creates a malicious executable.
- The attacker uses a tool or script (e.g.,
cmd.exe, PowerShell) to write the malicious executable into an Alternate Data Stream (ADS) of an existing file (e.g.,type evil.exe > legitimate.txt:evil.exe). - The attacker executes the hidden malicious executable from the ADS using
cmd.exeor PowerShell. For example:cmd.exe /c start legitimate.txt:evil.exe. - The executed malicious code performs its intended actions, such as establishing persistence, downloading additional payloads, or performing lateral movement.
- The attacker attempts to maintain stealth by deleting the originally dropped malicious file or further obfuscating their actions within the compromised system.
- The attacker achieves their objective, which could include data exfiltration, system compromise, or establishing a persistent foothold.
Impact
A successful attack leveraging Alternate Data Streams can lead to complete system compromise, data theft, and potential disruption of services. While the number of affected victims is not explicitly stated, this technique can be employed in targeted attacks against organizations in any sector. The primary impact is the circumvention of standard security controls, allowing malware to operate undetected for extended periods.
Recommendation
- Deploy the Sigma rule "Process Execution from Alternate Data Stream" to your SIEM to detect processes spawned from ADS paths and tune for your environment.
- Enable Sysmon process creation logging to capture process execution details, which are required for the Sigma rules above.
- Investigate any process executions with command-line arguments matching the pattern "?:\:" in your environment, as highlighted in the rule description.
- Review parent-child process relationships for processes executing from Alternate Data Streams to identify the source of the malicious execution.
Detection coverage 2
Process Execution from Alternate Data Stream
mediumDetects processes executing directly from an Alternate Data Stream (ADS).
PowerShell Execution from Alternate Data Stream
mediumDetects PowerShell executing directly from an Alternate Data Stream (ADS).
Detection queries are available on the platform. Get full rules →