Skip to content
Threat Feed
high advisory

Unusual File Creation via Alternate Data Streams

Detection of suspicious creation of Alternate Data Streams (ADS) on targeted files using command interpreters indicates potential malware hiding or defense evasion.

This detection identifies the creation of Alternate Data Streams (ADS) on specific file types via command interpreters (cmd.exe, powershell.exe) or scripting engines (wscript.exe, mshta.exe). ADS are NTFS file attributes that can be used to hide malicious files or payloads. The rule focuses on creation events where the file extension matches a list of commonly targeted types such as executables, documents, and images. This activity is flagged as suspicious because legitimate software rarely creates ADS on these file types. The detection logic excludes common legitimate ADS names (e.g. Zone.Identifier). This activity is a known defense evasion technique and can be used to mask malware execution.

Attack Chain

  1. The attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).
  2. The attacker uses a command interpreter (cmd.exe, powershell.exe) or scripting engine (mshta.exe, wscript.exe) to execute a malicious script or command.
  3. The script or command creates a new file with a common extension (e.g., .exe, .dll, .pdf, .docx).
  4. The script or command creates an Alternate Data Stream (ADS) on the newly created file, embedding malicious code or data within the ADS. The syntax "C:\file.exe:streamname" is used to create the ADS.
  5. The attacker may use the ADS to store an executable payload, a script, or configuration data for malware.
  6. The attacker executes the hidden code within the ADS using a command interpreter or other tool that can access ADS content.
  7. The executed code performs malicious actions, such as establishing persistence, downloading additional payloads, or exfiltrating data.
  8. The attacker maintains stealth by hiding malicious components within ADS, making them harder to detect through standard file system scans.

Impact

A successful attack leveraging Alternate Data Streams can result in malware infection, data theft, or system compromise. Attackers can use ADS to hide malicious executables, scripts, or configuration files, making them difficult to detect with traditional anti-virus solutions. This technique is commonly used in targeted attacks and can lead to significant damage, including data loss, financial losses, and reputational damage. The number of affected victims can vary widely, depending on the scope of the initial compromise and the attacker's objectives.

Recommendation

  • Deploy the Sigma rule "Unusual ADS File Creation via Command Interpreter" to your SIEM to detect the creation of ADS on targeted file types (rule.threat).
  • Enable Sysmon file creation logging to capture the events necessary for the "Unusual ADS File Creation via Command Interpreter" Sigma rule (rule.logsource).
  • Investigate any alerts generated by the Sigma rule "Unusual ADS File Creation via Command Interpreter" by retrieving and analyzing the contents of the alternate data stream.
  • Monitor process execution events for processes accessing Alternate Data Streams to identify potential malware execution from ADS.

Detection coverage 2

Unusual ADS File Creation via Command Interpreter

high

Detects the creation of Alternate Data Streams (ADS) on common file types by command interpreters or scripting engines.

sigma tactics: defense_evasion techniques: T1564.004 sources: file_event, windows

Suspicious Process Accessing Alternate Data Stream

medium

Detects processes accessing Alternate Data Streams, potentially executing hidden code.

sigma tactics: defense_evasion, execution techniques: T1059.001, T1564.004 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →