{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ads/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","SentinelOne Cloud Funnel","Elastic Defend","Elastic Endgame"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","ads","file-creation","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SentinelOne","Elastic"],"content_html":"\u003cp\u003eThis detection focuses on identifying the creation of Alternate Data Streams (ADS) on Windows systems, a technique often employed by adversaries to conceal malicious code or data within seemingly benign files. Attackers leverage scripting engines and command interpreters to write ADS to various file types, including executables, documents, and media files. This activity is uncommon in legitimate workflows, making it a valuable indicator of potential compromise. The rule is designed to trigger on file creation events where the process creating the file is a known script or command interpreter (cmd.exe, powershell.exe, etc.) and the target file has a suspicious extension. The detection excludes common legitimate ADS usage patterns. This technique is used for defense evasion, allowing malware to persist without being easily detected by traditional security measures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses a command interpreter (cmd.exe, powershell.exe, etc.) or scripting engine (wscript.exe, cscript.exe) to execute malicious code.\u003c/li\u003e\n\u003cli\u003eThe malicious code creates an Alternate Data Stream (ADS) on a targeted file (e.g., an executable, document, or image). The targeted file\u0026rsquo;s extension could be pdf, dll, exe, dat, etc.\u003c/li\u003e\n\u003cli\u003eThe attacker hides malicious code or data within the ADS, making it less visible to standard file system scans and security tools. The ADS is written to a file path using the \u003ccode\u003eC:\\\\*:\\*\u003c/code\u003e syntax.\u003c/li\u003e\n\u003cli\u003eThe attacker may rename or clean up any staging files to further conceal their activity.\u003c/li\u003e\n\u003cli\u003eThe attacker can then execute the hidden code within the ADS, or use the ADS to store configuration data for later use.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by using the ADS to store and execute malicious code, bypassing typical file-based security measures.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal is to maintain unauthorized access to the system, potentially leading to data exfiltration, lateral movement, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to hide malicious code within legitimate files, evading detection by traditional security measures. This can lead to prolonged persistence on compromised systems, enabling data theft, ransomware deployment, or other malicious activities. While the specific number of victims is unknown, this technique is broadly applicable across Windows environments, potentially affecting a wide range of organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious ADS File Creation via Cmd\u003c/code\u003e to detect ADS creation events initiated by cmd.exe.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious ADS File Creation via PowerShell\u003c/code\u003e to detect ADS creation events initiated by powershell.exe.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 15 (FileCreateStreamHash) to provide detailed information about ADS creation events, as referenced in the rule\u0026rsquo;s setup instructions.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the file paths, creating processes, and command-line arguments involved, as detailed in the rule\u0026rsquo;s triage and analysis notes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T18:00:00Z","date_published":"2024-01-26T18:00:00Z","id":"/briefs/2024-01-ads-file-creation/","summary":"Detects suspicious creation of Alternate Data Streams (ADS) on targeted files using script or command interpreters, indicative of malware hiding in ADS for defense evasion.","title":"Suspicious Alternate Data Stream (ADS) File Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-ads-file-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["defense-evasion","ads","rundll32","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eRundll32 is a legitimate Windows utility used to execute DLLs. However, adversaries can abuse this functionality to execute malicious code while evading detection. This technique involves storing a malicious DLL within an Alternate Data Stream (ADS) of a file. ADS allows hiding data within existing files, making it less likely to be discovered by standard file system scans. When rundll32.exe is then used to execute the DLL from the ADS, it can bypass application whitelisting and other security measures, as the execution appears to originate from the trusted rundll32.exe process. This technique has been observed across various threat actors seeking to establish persistence or execute arbitrary code.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through methods like phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious DLL to the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a command-line utility to write the DLL into an Alternate Data Stream (ADS) of an existing file, such as a text file or image. For example: \u003ccode\u003eecho \u0026quot;DLL content\u0026quot; \u0026gt; legitimate_file.txt:malicious.dll\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003erundll32.exe\u003c/code\u003e to execute the DLL stored in the ADS. The command typically looks like: \u003ccode\u003erundll32.exe \u0026quot;C:\\ads\\file.txt:ADSDLL.dll\u0026quot;,DllMain\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eRundll32.exe loads and executes the malicious DLL from the ADS.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL performs its intended actions, such as establishing persistence, downloading additional payloads, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker may use additional techniques to further conceal their activity, such as obfuscating the command line or using process injection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows arbitrary code execution on the targeted system. Attackers can use this technique to establish persistence, escalate privileges, bypass security controls, and deploy further malware. The use of ADS makes detection more challenging, as the malicious DLL is hidden within a seemingly benign file. This can lead to data breaches, system compromise, and potential financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the command-line arguments used with \u003ccode\u003erundll32.exe\u003c/code\u003e (as used in the Sigma rules below).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect suspicious \u003ccode\u003erundll32.exe\u003c/code\u003e executions from ADS.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual file modifications that involve writing data to alternate data streams.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to restrict the execution of unauthorized executables.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-08T15:30:00Z","date_published":"2024-01-08T15:30:00Z","id":"/briefs/2024-01-08-rundll32-ads/","summary":"Adversaries may use rundll32.exe to execute DLLs stored within alternate data streams (ADS) to bypass security controls and conceal malicious code.","title":"Rundll32 Execution with DLL Stored in Alternate Data Stream (ADS)","url":"https://feed.craftedsignal.io/briefs/2024-01-08-rundll32-ads/"}],"language":"en","title":"CraftedSignal Threat Feed — Ads","version":"https://jsonfeed.org/version/1.1"}