CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities
NTFS Alternate Data Streams (ADSs) may be used by adversaries as a means of evading security tools by storing malicious data or binaries in file attribute metadata. ADSs are also powerful because they can be directly executed by various Windows tools; accordingly, this analytic looks at common ways of executing ADSs using system utilities such as powershell.
References
Oddvar Moe has created an excellent NTFS ADS execution reference here on github, which was used as the basis for many of these analytics. The LOLBAS project is an amazing resource for anything LOLBAS.
ATT&CK Detections
| Technique | Subtechnique(s) | Tactic(s) | Level of Coverage |
|---|---|---|---|
| Hide Artifacts | NTFS File Attributes | Defense Evasion | Low |
D3FEND Techniques
| ID | Name |
|---|---|
| D3-PSA | Process Spawn Analysis |
Data Model References
| Object | Action | Field |
|---|---|---|
| process | create | exe |
| process | create | command_line |
Implementations
NTFS ADS - pseudocode (Pseudocode, CAR native)
This is generic pseudocode that lines up with the below Splunk queries.
processes = search Process:Create
ads_processes = filter processes where (
exe == "powershell.exe OR rundll32.exe OR wmic.exe OR wscript.exe OR cscript.exe" and command_line.matches("__some_regex__")
)
output ads_processes
NTFS ADS - powershell (Splunk, Sysmon native)
This Splunk query looks for invocations of powershell used to execute NTFS alternate data streams.
index=__sysmon_index__ EventCode=1 Image=C:\\Windows\\*\\powershell.exe|regex CommandLine="Invoke-CimMethod\s+-ClassName\s+Win32_Process\s+-MethodName\s+Create.*\b(\w+(\.\w+)?):(\w+(\.\w+)?)|-ep bypass\s+-\s+<.*\b(\w+(\.\w+)?):(\w+(\.\w+)?)|-command.*Get-Content.*-Stream.*Set-Content.*start-process .*(\w+(\.\w+)?)"
NTFS ADS - wmic (Splunk, Sysmon native)
This Splunk query looks for invocations of WMIC used to execute NTFS alternate data streams.
index=__sysmon_index__ EventCode=1 Image=C:\\Windows\\*\\wmic.exe | regex CommandLine="process call create.*\"(\w+(\.\w+)?):(\w+(\.\w+)?)"
NTFS ADS - rundll32 (Splunk, Sysmon native)
This Splunk query looks for invocations of rundll32 used to execute NTFS alternate data streams.
index=__sysmon_index__ EventCode=1 Image=C:\\Windows\\*\\rundll32.exe | regex CommandLine="\"?(\w+(\.\w+)?):(\w+(\.\w+)?)?\"?,\w+\|(advpack\.dll\|ieadvpack\.dll),RegisterOCX\s+(\w+\.\w+):(\w+(\.\w+)?)\|(shdocvw\.dll\|ieframe\.dll),OpenURL.*(\w+\.\w+):(\w+(\.\w+)?)"
NTFS ADS - wscript/cscript (Splunk, Sysmon native)
This Splunk query looks for invocations of the windows scripting host used to execute NTFS alternate data streams.
index=__sysmon_index__ EventCode=1 (Image=C:\\Windows\\*\\wscript.exe OR Image=C:\\Windows\\*\\cscript.exe) | regex CommandLine="(?<!\/)\b\w+(\.\w+)?:\w+(\.\w+)?$"