NTFS Alternate Data Streams (ADSs) may be used by adversaries as a means of evading security tools by storing malicious data or binaries in file attribute metadata. ADSs are also powerful because they can be directly executed by various Windows tools; accordingly, this analytic looks at common ways of executing ADSs using system utilities such as powershell.

References

Oddvar Moe has created an excellent NTFS ADS execution reference here on github, which was used as the basis for many of these analytics. The LOLBAS project is an amazing resource for anything LOLBAS.

ATT&CK Detections

Technique Subtechnique(s) Tactic(s) Level of Coverage
Hide Artifacts NTFS File Attributes Defense Evasion Low

D3FEND Techniques

ID Name
D3-PSA Process Spawn Analysis

Data Model References

Object Action Field
process create exe
process create command_line

Implementations

NTFS ADS - pseudocode (Pseudocode, CAR native)

This is generic pseudocode that lines up with the below Splunk queries.

processes = search Process:Create
ads_processes = filter processes where (
exe == "powershell.exe OR rundll32.exe OR wmic.exe OR wscript.exe OR cscript.exe" and command_line.matches("__some_regex__")
)
output ads_processes

NTFS ADS - powershell (Splunk, Sysmon native)

This Splunk query looks for invocations of powershell used to execute NTFS alternate data streams.

index=__sysmon_index__ EventCode=1 Image=C:\\Windows\\*\\powershell.exe|regex CommandLine="Invoke-CimMethod\s+-ClassName\s+Win32_Process\s+-MethodName\s+Create.*\b(\w+(\.\w+)?):(\w+(\.\w+)?)|-ep bypass\s+-\s+<.*\b(\w+(\.\w+)?):(\w+(\.\w+)?)|-command.*Get-Content.*-Stream.*Set-Content.*start-process .*(\w+(\.\w+)?)"

NTFS ADS - wmic (Splunk, Sysmon native)

This Splunk query looks for invocations of WMIC used to execute NTFS alternate data streams.

index=__sysmon_index__ EventCode=1 Image=C:\\Windows\\*\\wmic.exe | regex CommandLine="process call create.*\"(\w+(\.\w+)?):(\w+(\.\w+)?)"

NTFS ADS - rundll32 (Splunk, Sysmon native)

This Splunk query looks for invocations of rundll32 used to execute NTFS alternate data streams.

index=__sysmon_index__  EventCode=1 Image=C:\\Windows\\*\\rundll32.exe | regex CommandLine="\"?(\w+(\.\w+)?):(\w+(\.\w+)?)?\"?,\w+\|(advpack\.dll\|ieadvpack\.dll),RegisterOCX\s+(\w+\.\w+):(\w+(\.\w+)?)\|(shdocvw\.dll\|ieframe\.dll),OpenURL.*(\w+\.\w+):(\w+(\.\w+)?)"

NTFS ADS - wscript/cscript (Splunk, Sysmon native)

This Splunk query looks for invocations of the windows scripting host used to execute NTFS alternate data streams.

index=__sysmon_index__ EventCode=1 (Image=C:\\Windows\\*\\wscript.exe OR Image=C:\\Windows\\*\\cscript.exe) | regex CommandLine="(?<!\/)\b\w+(\.\w+)?:\w+(\.\w+)?$"