Creation Of a Suspicious ADS File Outside a Browser Download

Severity: medium
Author: frack113
Source: upstream

Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers

Event coverage

Provider	Event ID	Title
Sysmon	15	FileCreateStreamHash

Stages and Predicates

Stage 1: `selection`

or:
TargetFilename|contains: .bat
TargetFilename|contains: .cmd
TargetFilename|contains: .docx
TargetFilename|contains: .exe
TargetFilename|contains: .hta
TargetFilename|contains: .jse
TargetFilename|contains: .lnk
TargetFilename|contains: .pptx
TargetFilename|contains: .ps
TargetFilename|contains: .reg
TargetFilename|contains: .scr
TargetFilename|contains: .sct
TargetFilename|contains: .vb
TargetFilename|contains: .wsc
TargetFilename|contains: .wsf
TargetFilename|contains: .xlsx
Contents|startswith: '[ZoneTransfer]  ZoneId=3'
TargetFilename|endswith: ':Zone.Identifier'

Stage 2: `not 1 of filter_optional_*`

or:
or:
Image|endswith: '\msedge.exe'
Image|endswith: '\msedgewebview2.exe'
or:
Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeCore\'
Image|startswith: 'C:\Program Files\Microsoft\EdgeCore\'
Image|endswith: '\SnippingTool\SnippingTool.exe'
Image|startswith: 'C:\Program Files\WindowsApps\Microsoft.ScreenSketch_'
TargetFilename|endswith: '.png:Zone.Identifier'
TargetFilename|contains: '\AppData\Local\Packages\Microsoft.ScreenSketch_'
TargetFilename|contains: '\TempState\Screenshot '
TargetFilename|startswith: 'C:\Users\'
Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
Image|endswith: '\brave.exe'
Image|endswith: '\maxthon.exe'
Image|endswith: '\opera.exe'
Image|endswith: '\safari.exe'
Image|endswith: '\seamonkey.exe'
Image|endswith: '\vivaldi.exe'
Image|endswith: '\whale.exe'
Image: 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
Image: 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
Image: 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
Image: 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
Image: 'C:\Program Files\Google\Chrome\Application\chrome.exe'
Image: 'C:\Program Files\Internet Explorer\iexplore.exe'
Image: 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
Image: 'C:\Program Files\Mozilla Firefox\firefox.exe'
Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Contents`	starts_with	`[ZoneTransfer] ZoneId=3` corpus 2 (sigma 2)
`Image`	ends_with	`\SnippingTool\SnippingTool.exe` `\WindowsApps\MicrosoftEdge.exe` corpus 12 (sigma 12) `\brave.exe` corpus 20 (sigma 20) `\maxthon.exe` corpus 13 (sigma 13) `\msedge.exe` corpus 22 (sigma 22) `\msedgewebview2.exe` corpus 15 (sigma 15) `\opera.exe` corpus 21 (sigma 21) `\safari.exe` corpus 12 (sigma 12) `\seamonkey.exe` corpus 13 (sigma 13) `\vivaldi.exe` corpus 19 (sigma 19) `\whale.exe` corpus 12 (sigma 12)
`Image`	eq	`C:\Program Files (x86)\Google\Chrome\Application\chrome.exe` corpus 11 (sigma 11) `C:\Program Files (x86)\Internet Explorer\iexplore.exe` corpus 10 (sigma 10) `C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe` corpus 11 (sigma 11) `C:\Program Files (x86)\Mozilla Firefox\firefox.exe` corpus 11 (sigma 11) `C:\Program Files\Google\Chrome\Application\chrome.exe` corpus 12 (sigma 12) `C:\Program Files\Internet Explorer\iexplore.exe` corpus 11 (sigma 11) `C:\Program Files\Microsoft\Edge\Application\msedge.exe` corpus 11 (sigma 11) `C:\Program Files\Mozilla Firefox\firefox.exe` corpus 12 (sigma 12)
`Image`	starts_with	`C:\Program Files (x86)\Microsoft\EdgeCore\` corpus 11 (sigma 11) `C:\Program Files (x86)\Microsoft\EdgeWebView\Application\` corpus 10 (sigma 10) `C:\Program Files\Microsoft\EdgeCore\` corpus 11 (sigma 11) `C:\Program Files\WindowsApps\Microsoft.ScreenSketch_`
`TargetFilename`	ends_with	`.png:Zone.Identifier` `:Zone.Identifier` corpus 3 (sigma 3)
`TargetFilename`	match	`.bat` `.cmd` `.docx` `.exe` corpus 3 (sigma 3) `.hta` `.jse` `.lnk` `.pptx` `.ps` `.reg` `.scr` `.sct` `.vb` `.wsc` `.wsf` `.xlsx` `\AppData\Local\Packages\Microsoft.ScreenSketch_` `\TempState\Screenshot`
`TargetFilename`	starts_with	`C:\Users\` corpus 12 (sigma 12)