Tag
high
advisory
Suspicious Alternate Data Stream (ADS) File Creation
2 rules 1 TTPDetects suspicious creation of Alternate Data Streams (ADS) on targeted files using script or command interpreters, indicative of malware hiding in ADS for defense evasion.
M365 Defender +3
defense-evasion
ads
file-creation
windows
2r
1t
high
advisory
Rundll32 Execution with DLL Stored in Alternate Data Stream (ADS)
2 rules 1 TTPAdversaries may use rundll32.exe to execute DLLs stored within alternate data streams (ADS) to bypass security controls and conceal malicious code.
defense-evasion
ads
rundll32
windows
2r
1t