Suspicious Alternate Data Stream (ADS) File Creation

This detection focuses on identifying the creation of Alternate Data Streams (ADS) on Windows systems, a technique often employed by adversaries to conceal malicious code or data within seemingly benign files. Attackers leverage scripting engines and command interpreters to write ADS to various file types, including executables, documents, and media files. This activity is uncommon in legitimate workflows, making it a valuable indicator of potential compromise. The rule is designed to trigger on file creation events where the process creating the file is a known script or command interpreter (cmd.exe, powershell.exe, etc.) and the target file has a suspicious extension. The detection excludes common legitimate ADS usage patterns. This technique is used for defense evasion, allowing malware to persist without being easily detected by traditional security measures.

Attack Chain

1. An attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).
2. The attacker uses a command interpreter (cmd.exe, powershell.exe, etc.) or scripting engine (wscript.exe, cscript.exe) to execute malicious code.
3. The malicious code creates an Alternate Data Stream (ADS) on a targeted file (e.g., an executable, document, or image). The targeted file’s extension could be pdf, dll, exe, dat, etc.
4. The attacker hides malicious code or data within the ADS, making it less visible to standard file system scans and security tools. The ADS is written to a file path using the C:\\*:\* syntax.
5. The attacker may rename or clean up any staging files to further conceal their activity.
6. The attacker can then execute the hidden code within the ADS, or use the ADS to store configuration data for later use.
7. The attacker maintains persistence by using the ADS to store and execute malicious code, bypassing typical file-based security measures.
8. The ultimate goal is to maintain unauthorized access to the system, potentially leading to data exfiltration, lateral movement, or other malicious activities.

Impact

Successful exploitation allows attackers to hide malicious code within legitimate files, evading detection by traditional security measures. This can lead to prolonged persistence on compromised systems, enabling data theft, ransomware deployment, or other malicious activities. While the specific number of victims is unknown, this technique is broadly applicable across Windows environments, potentially affecting a wide range of organizations.

Recommendation

• Deploy the Sigma rule Suspicious ADS File Creation via Cmd to detect ADS creation events initiated by cmd.exe.
• Deploy the Sigma rule Suspicious ADS File Creation via PowerShell to detect ADS creation events initiated by powershell.exe.
• Enable Sysmon Event ID 15 (FileCreateStreamHash) to provide detailed information about ADS creation events, as referenced in the rule’s setup instructions.
• Investigate any alerts generated by these rules, focusing on the file paths, creating processes, and command-line arguments involved, as detailed in the rule’s triage and analysis notes.