Alternate Data Stream Creation/Execution at Volume Root Directory

This detection rule identifies the creation or execution of Alternate Data Streams (ADS) within the root directory of a volume on Windows systems. Attackers leverage this technique to conceal malicious tools or data, as ADSs created in this manner are not easily discoverable by standard system utilities. This method allows for the persistence and execution of malware while evading typical detection mechanisms. This rule is designed for data generated by Elastic Defend, Microsoft Defender XDR, and SentinelOne Cloud Funnel, providing broad coverage across different endpoint security solutions. Monitoring for ADS activity at the volume root is crucial to identify potential defense evasion attempts and hidden malicious payloads.

Attack Chain

1. Attacker gains initial access to the target system (e.g., through phishing or exploiting a vulnerability).
2. The attacker executes a script or program (e.g., PowerShell) to create a hidden ADS at the root of a volume (e.g., C:\:evil.exe).
3. The ADS is populated with malicious code, such as a reverse shell or malware payload.
4. The attacker uses a command-line tool or script to execute the hidden ADS file. For example: wmic process call create "cmd.exe /c start C:\:evil.exe".
5. The malicious code within the ADS executes, allowing the attacker to perform unauthorized actions, such as data exfiltration or establishing persistence.
6. The attacker uses the hidden ADS to maintain persistence on the system, ensuring continued access even after reboots.
7. The attacker further leverages the compromised system to move laterally within the network, compromising additional systems and escalating privileges.

Impact

Successful exploitation allows attackers to hide malicious tools and maintain persistence on compromised systems. The creation of ADSs at the volume root directory makes it difficult for administrators and security tools to detect the presence of malware. This can lead to prolonged compromise, data breaches, and significant disruption of business operations. The rule has a risk score of 47, and a medium severity is applied.

Recommendation

• Deploy the Sigma rules provided in this brief to your SIEM to detect ADS creation and execution at the volume root directory.
• Enable logging for file creation events (Sysmon Event ID 11) and process creation events (Sysmon Event ID 1) for enhanced visibility into ADS activity.
• Investigate alerts generated by the Sigma rules to determine the legitimacy of ADS creation or execution, focusing on processes and file paths that match the [A-Z]:\\:.+ regex pattern in the rule query.
• Regularly scan systems for hidden ADS files using specialized tools to uncover any potential malicious files.
• Implement application control policies to restrict the execution of unauthorized applications and prevent the creation of malicious ADSs.