{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/hide-artifacts/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","hide-artifacts","alternate-data-stream"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection rule identifies the creation or execution of Alternate Data Streams (ADS) within the root directory of a volume on Windows systems. Attackers leverage this technique to conceal malicious tools or data, as ADSs created in this manner are not easily discoverable by standard system utilities. This method allows for the persistence and execution of malware while evading typical detection mechanisms. This rule is designed for data generated by Elastic Defend, Microsoft Defender XDR, and SentinelOne Cloud Funnel, providing broad coverage across different endpoint security solutions. Monitoring for ADS activity at the volume root is crucial to identify potential defense evasion attempts and hidden malicious payloads.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script or program (e.g., PowerShell) to create a hidden ADS at the root of a volume (e.g., \u003ccode\u003eC:\\:evil.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe ADS is populated with malicious code, such as a reverse shell or malware payload.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a command-line tool or script to execute the hidden ADS file. For example: \u003ccode\u003ewmic process call create \u0026quot;cmd.exe /c start C:\\:evil.exe\u0026quot;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious code within the ADS executes, allowing the attacker to perform unauthorized actions, such as data exfiltration or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the hidden ADS to maintain persistence on the system, ensuring continued access even after reboots.\u003c/li\u003e\n\u003cli\u003eThe attacker further leverages the compromised system to move laterally within the network, compromising additional systems and escalating privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to hide malicious tools and maintain persistence on compromised systems. The creation of ADSs at the volume root directory makes it difficult for administrators and security tools to detect the presence of malware. This can lead to prolonged compromise, data breaches, and significant disruption of business operations. The rule has a risk score of 47, and a medium severity is applied.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect ADS creation and execution at the volume root directory.\u003c/li\u003e\n\u003cli\u003eEnable logging for file creation events (Sysmon Event ID 11) and process creation events (Sysmon Event ID 1) for enhanced visibility into ADS activity.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rules to determine the legitimacy of ADS creation or execution, focusing on processes and file paths that match the \u003ccode\u003e[A-Z]:\\\\:.+\u003c/code\u003e regex pattern in the rule query.\u003c/li\u003e\n\u003cli\u003eRegularly scan systems for hidden ADS files using specialized tools to uncover any potential malicious files.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized applications and prevent the creation of malicious ADSs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-08T12:00:00Z","date_published":"2024-07-08T12:00:00Z","id":"/briefs/2024-07-root-dir-ads-creation/","summary":"Detection of Alternate Data Stream (ADS) creation at a volume root directory, a technique used to hide malware and tools by exploiting how ADSs in root directories are not readily visible to standard system utilities, indicating a defense evasion attempt.","title":"Alternate Data Stream Creation/Execution at Volume Root Directory","url":"https://feed.craftedsignal.io/briefs/2024-07-root-dir-ads-creation/"}],"language":"en","title":"CraftedSignal Threat Feed — Hide-Artifacts","version":"https://jsonfeed.org/version/1.1"}