Alternate-Data-Stream — CraftedSignal Threat Feed

Alternate Data Stream Creation/Execution at Volume Root Directory

hello@craftedsignal.io — Mon, 08 Jul 2024 12:00:00 +0000

This detection rule identifies the creation or execution of Alternate Data Streams (ADS) within the root directory of a volume on Windows systems. Attackers leverage this technique to conceal malicious tools or data, as ADSs created in this manner are not easily discoverable by standard system utilities. This method allows for the persistence and execution of malware while evading typical detection mechanisms. This rule is designed for data generated by Elastic Defend, Microsoft Defender XDR, and SentinelOne Cloud Funnel, providing broad coverage across different endpoint security solutions. Monitoring for ADS activity at the volume root is crucial to identify potential defense evasion attempts and hidden malicious payloads.

Attack Chain

Attacker gains initial access to the target system (e.g., through phishing or exploiting a vulnerability).
The attacker executes a script or program (e.g., PowerShell) to create a hidden ADS at the root of a volume (e.g., C:\:evil.exe).
The ADS is populated with malicious code, such as a reverse shell or malware payload.
The attacker uses a command-line tool or script to execute the hidden ADS file. For example: wmic process call create "cmd.exe /c start C:\:evil.exe".
The malicious code within the ADS executes, allowing the attacker to perform unauthorized actions, such as data exfiltration or establishing persistence.
The attacker uses the hidden ADS to maintain persistence on the system, ensuring continued access even after reboots.
The attacker further leverages the compromised system to move laterally within the network, compromising additional systems and escalating privileges.

Impact

Successful exploitation allows attackers to hide malicious tools and maintain persistence on compromised systems. The creation of ADSs at the volume root directory makes it difficult for administrators and security tools to detect the presence of malware. This can lead to prolonged compromise, data breaches, and significant disruption of business operations. The rule has a risk score of 47, and a medium severity is applied.

Recommendation

Deploy the Sigma rules provided in this brief to your SIEM to detect ADS creation and execution at the volume root directory.
Enable logging for file creation events (Sysmon Event ID 11) and process creation events (Sysmon Event ID 1) for enhanced visibility into ADS activity.
Investigate alerts generated by the Sigma rules to determine the legitimacy of ADS creation or execution, focusing on processes and file paths that match the [A-Z]:\\:.+ regex pattern in the rule query.
Regularly scan systems for hidden ADS files using specialized tools to uncover any potential malicious files.
Implement application control policies to restrict the execution of unauthorized applications and prevent the creation of malicious ADSs.

Detecting Execution from Alternate Data Streams

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

Alternate Data Streams (ADS) are a feature of the NTFS file system that allows files to contain multiple data streams. Adversaries can exploit this feature to hide malicious code within legitimate files, making detection more difficult. This technique is often used for defense evasion, as security tools may not inspect ADS when scanning for malware. This detection focuses on identifying processes initiated from ADS by monitoring process execution paths and arguments, specifically looking for the pattern “?:\:”. This activity is uncommon for legitimate processes, making it a valuable indicator of potential malicious activity. The rule is designed for data generated by Elastic Defend, but also supports CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon.

Attack Chain

An attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).
The attacker creates an Alternate Data Stream (ADS) within a seemingly benign file (e.g., harmless.txt:malicious.exe).
The attacker copies or moves malicious executable code into the newly created ADS.
The attacker uses a method to execute the code within the ADS, often involving command-line arguments that specify the ADS path (e.g., harmless.txt:malicious.exe).
The operating system executes the code contained within the ADS as if it were a standard executable.
The malicious code performs its intended actions, such as installing malware, establishing persistence, or escalating privileges.
The attacker may attempt to further conceal their activity by deleting the original executable or modifying timestamps.
The final objective is to achieve persistence, exfiltrate data, or perform other malicious activities while evading traditional detection methods.

Impact

Successful exploitation allows attackers to hide and execute malicious code, bypassing standard security measures. This can lead to malware infections, data breaches, and system compromise. The number of victims and specific sectors targeted can vary, but the potential impact includes data loss, financial damage, and reputational harm.

Recommendation

Deploy the Sigma rule “Unusual Process Execution from Alternate Data Stream” to your SIEM and tune for your environment to detect processes executing from ADS.
Enable Sysmon process creation logging to capture process execution events necessary for the Sigma rule to function correctly.
Investigate any alerts generated by the Sigma rule, focusing on processes with command-line arguments matching the ?:\\*:\* pattern.
Review process details, including the process name and path, to determine if it is a known legitimate application or potentially malicious, as described in the rule’s investigation guide.
Correlate events with other security logs or alerts from data sources like Sysmon, Microsoft Defender XDR, or Crowdstrike to gather additional context.