Tag
medium
advisory
Alternate Data Stream Creation/Execution at Volume Root Directory
2 rules 1 TTPDetection of Alternate Data Stream (ADS) creation at a volume root directory, a technique used to hide malware and tools by exploiting how ADSs in root directories are not readily visible to standard system utilities, indicating a defense evasion attempt.
Microsoft Defender XDR +2
defense-evasion
hide-artifacts
alternate-data-stream
2r
1t
medium
advisory
Detecting Execution from Alternate Data Streams
2 rules 1 TTPAdversaries may execute malicious code from Alternate Data Streams (ADS) on Windows to evade defenses by hiding malware within legitimate files, which this detection identifies by monitoring process execution paths and arguments.
M365 Defender +1
defense-evasion
windows
alternate data stream
2r
1t