| sigma |
sysmon_rclone_execution.yml |
- '--multi-thread-streams' |
DRL 1.0 |
| sigma |
posh_ps_ntfs_ads_access.yml |
description: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging. |
DRL 1.0 |
| sigma |
proc_creation_win_alternate_data_streams.yml |
title: Execute From Alternate Data Streams |
DRL 1.0 |
| sigma |
proc_creation_win_false_sysinternalsuite.yml |
- '\streams.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_susp_findstr.yml |
- https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ |
DRL 1.0 |
| sigma |
proc_creation_win_susp_rclone_execution.yml |
- 'multi-thread-streams' |
DRL 1.0 |
| LOLBAS |
Cmd.yml |
- IOC: cmd.exe executing files from alternate data streams. |
|
| LOLBAS |
ConfigSecurityPolicy.yml |
- IOC: ConfigSecurityPolicy storing data into alternate data streams. |
|
| LOLBAS |
Control.yml |
- IOC: Control.exe executing files from alternate data streams |
|
| LOLBAS |
Cscript.yml |
- IOC: Cscript.exe executing files from alternate data streams |
|
| LOLBAS |
Cscript.yml |
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ |
|
| LOLBAS |
Diantz.yml |
- IOC: diantz storing data into alternate data streams. |
|
| LOLBAS |
Esentutl.yml |
Usecase: Extract hidden file within alternate data streams |
|
| LOLBAS |
Extrac32.yml |
- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ |
|
| LOLBAS |
Findstr.yml |
- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ |
|
| LOLBAS |
Forfiles.yml |
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ |
|
| LOLBAS |
Makecab.yml |
- IOC: Makecab storing data into alternate data streams |
|
| LOLBAS |
Mavinject.yml |
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ |
|
| LOLBAS |
MpCmdRun.yml |
- IOC: MpCmdRun storing data into alternate data streams. |
|
| LOLBAS |
Mshta.yml |
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ |
|
| LOLBAS |
Rundll32.yml |
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ |
|
| LOLBAS |
Sc.yml |
- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ |
|
| LOLBAS |
Wmic.yml |
Usecase: Execute binary file hidden in Alternate data streams to evade defensive counter measures |
|
| LOLBAS |
Wscript.yml |
- IOC: Wscript.exe executing code from alternate data streams |
|
| atomic-red-team |
index.md |
- Atomic Test #1: Alternate Data Streams (ADS) [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
windows-index.md |
- Atomic Test #1: Alternate Data Streams (ADS) [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1553.005.md |
Adversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)</blockquote> |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1564.004.md |
<blockquote>Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014) |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1564.004.md |
- Atomic Test #1 - Alternate Data Streams (ADS) |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1564.004.md |
## Atomic Test #1 - Alternate Data Streams (ADS) |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1564.004.md |
Execute from Alternate Streams |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1564.004.md |
Reference - 2 |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1564.004.md |
in the %temp% direcotry to view all files with hidden data streams. To view the data in the alternate data stream, run “notepad.exe T1564.004_has_ads_powershell.txt:adstest.txt” in the %temp% folder. |
MIT License. © 2018 Red Canary |