{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/alternate-data-stream/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","hide-artifacts","alternate-data-stream"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection rule identifies the creation or execution of Alternate Data Streams (ADS) within the root directory of a volume on Windows systems. Attackers leverage this technique to conceal malicious tools or data, as ADSs created in this manner are not easily discoverable by standard system utilities. This method allows for the persistence and execution of malware while evading typical detection mechanisms. This rule is designed for data generated by Elastic Defend, Microsoft Defender XDR, and SentinelOne Cloud Funnel, providing broad coverage across different endpoint security solutions. Monitoring for ADS activity at the volume root is crucial to identify potential defense evasion attempts and hidden malicious payloads.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script or program (e.g., PowerShell) to create a hidden ADS at the root of a volume (e.g., \u003ccode\u003eC:\\:evil.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe ADS is populated with malicious code, such as a reverse shell or malware payload.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a command-line tool or script to execute the hidden ADS file. For example: \u003ccode\u003ewmic process call create \u0026quot;cmd.exe /c start C:\\:evil.exe\u0026quot;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious code within the ADS executes, allowing the attacker to perform unauthorized actions, such as data exfiltration or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the hidden ADS to maintain persistence on the system, ensuring continued access even after reboots.\u003c/li\u003e\n\u003cli\u003eThe attacker further leverages the compromised system to move laterally within the network, compromising additional systems and escalating privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to hide malicious tools and maintain persistence on compromised systems. The creation of ADSs at the volume root directory makes it difficult for administrators and security tools to detect the presence of malware. This can lead to prolonged compromise, data breaches, and significant disruption of business operations. The rule has a risk score of 47, and a medium severity is applied.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect ADS creation and execution at the volume root directory.\u003c/li\u003e\n\u003cli\u003eEnable logging for file creation events (Sysmon Event ID 11) and process creation events (Sysmon Event ID 1) for enhanced visibility into ADS activity.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rules to determine the legitimacy of ADS creation or execution, focusing on processes and file paths that match the \u003ccode\u003e[A-Z]:\\\\:.+\u003c/code\u003e regex pattern in the rule query.\u003c/li\u003e\n\u003cli\u003eRegularly scan systems for hidden ADS files using specialized tools to uncover any potential malicious files.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized applications and prevent the creation of malicious ADSs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-08T12:00:00Z","date_published":"2024-07-08T12:00:00Z","id":"/briefs/2024-07-root-dir-ads-creation/","summary":"Detection of Alternate Data Stream (ADS) creation at a volume root directory, a technique used to hide malware and tools by exploiting how ADSs in root directories are not readily visible to standard system utilities, indicating a defense evasion attempt.","title":"Alternate Data Stream Creation/Execution at Volume Root Directory","url":"https://feed.craftedsignal.io/briefs/2024-07-root-dir-ads-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows","alternate data stream"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eAlternate Data Streams (ADS) are a feature of the NTFS file system that allows files to contain multiple data streams. Adversaries can exploit this feature to hide malicious code within legitimate files, making detection more difficult. This technique is often used for defense evasion, as security tools may not inspect ADS when scanning for malware. This detection focuses on identifying processes initiated from ADS by monitoring process execution paths and arguments, specifically looking for the pattern \u0026ldquo;?:\\\u003cem\u003e:\u003c/em\u003e\u0026rdquo;. This activity is uncommon for legitimate processes, making it a valuable indicator of potential malicious activity. The rule is designed for data generated by Elastic Defend, but also supports CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker creates an Alternate Data Stream (ADS) within a seemingly benign file (e.g., \u003ccode\u003e harmless.txt:malicious.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker copies or moves malicious executable code into the newly created ADS.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a method to execute the code within the ADS, often involving command-line arguments that specify the ADS path (e.g., \u003ccode\u003e harmless.txt:malicious.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe operating system executes the code contained within the ADS as if it were a standard executable.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs its intended actions, such as installing malware, establishing persistence, or escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to further conceal their activity by deleting the original executable or modifying timestamps.\u003c/li\u003e\n\u003cli\u003eThe final objective is to achieve persistence, exfiltrate data, or perform other malicious activities while evading traditional detection methods.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to hide and execute malicious code, bypassing standard security measures. This can lead to malware infections, data breaches, and system compromise. The number of victims and specific sectors targeted can vary, but the potential impact includes data loss, financial damage, and reputational harm.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Unusual Process Execution from Alternate Data Stream\u0026rdquo; to your SIEM and tune for your environment to detect processes executing from ADS.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture process execution events necessary for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on processes with command-line arguments matching the \u003ccode\u003e?:\\\\*:\\*\u003c/code\u003e pattern.\u003c/li\u003e\n\u003cli\u003eReview process details, including the process name and path, to determine if it is a known legitimate application or potentially malicious, as described in the rule\u0026rsquo;s investigation guide.\u003c/li\u003e\n\u003cli\u003eCorrelate events with other security logs or alerts from data sources like Sysmon, Microsoft Defender XDR, or Crowdstrike to gather additional context.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-ads-execution/","summary":"Adversaries may execute malicious code from Alternate Data Streams (ADS) on Windows to evade defenses by hiding malware within legitimate files, which this detection identifies by monitoring process execution paths and arguments.","title":"Detecting Execution from Alternate Data Streams","url":"https://feed.craftedsignal.io/briefs/2024-01-ads-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — Alternate-Data-Stream","version":"https://jsonfeed.org/version/1.1"}