Detecting Execution from Alternate Data Streams

Alternate Data Streams (ADS) are a feature of the NTFS file system that allows files to contain multiple data streams. Adversaries can exploit this feature to hide malicious code within legitimate files, making detection more difficult. This technique is often used for defense evasion, as security tools may not inspect ADS when scanning for malware. This detection focuses on identifying processes initiated from ADS by monitoring process execution paths and arguments, specifically looking for the pattern “?:\:”. This activity is uncommon for legitimate processes, making it a valuable indicator of potential malicious activity. The rule is designed for data generated by Elastic Defend, but also supports CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon.

Attack Chain

1. An attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).
2. The attacker creates an Alternate Data Stream (ADS) within a seemingly benign file (e.g., harmless.txt:malicious.exe).
3. The attacker copies or moves malicious executable code into the newly created ADS.
4. The attacker uses a method to execute the code within the ADS, often involving command-line arguments that specify the ADS path (e.g., harmless.txt:malicious.exe).
5. The operating system executes the code contained within the ADS as if it were a standard executable.
6. The malicious code performs its intended actions, such as installing malware, establishing persistence, or escalating privileges.
7. The attacker may attempt to further conceal their activity by deleting the original executable or modifying timestamps.
8. The final objective is to achieve persistence, exfiltrate data, or perform other malicious activities while evading traditional detection methods.

Impact

Successful exploitation allows attackers to hide and execute malicious code, bypassing standard security measures. This can lead to malware infections, data breaches, and system compromise. The number of victims and specific sectors targeted can vary, but the potential impact includes data loss, financial damage, and reputational harm.

Recommendation

• Deploy the Sigma rule “Unusual Process Execution from Alternate Data Stream” to your SIEM and tune for your environment to detect processes executing from ADS.
• Enable Sysmon process creation logging to capture process execution events necessary for the Sigma rule to function correctly.
• Investigate any alerts generated by the Sigma rule, focusing on processes with command-line arguments matching the ?:\\*:\* pattern.
• Review process details, including the process name and path, to determine if it is a known legitimate application or potentially malicious, as described in the rule’s investigation guide.
• Correlate events with other security logs or alerts from data sources like Sysmon, Microsoft Defender XDR, or Crowdstrike to gather additional context.