Alternate-Data-Stream

Detection of Alternate Data Stream (ADS) creation at a volume root directory, a technique used to hide malware and tools by exploiting how ADSs in root directories are not readily visible to standard system utilities, indicating a defense evasion attempt.

Adversaries may execute malicious code from Alternate Data Streams (ADS) on Windows to evade defenses by hiding malware within legitimate files, which this detection identifies by monitoring process execution paths and arguments.