Windows Alternate DataStream - Base64 Content

Author: Steven Dick, Teoderick Contreras, Michael Haag, Splunk
Source: upstream

The following analytic detects the creation of Alternate Data Streams (ADS) with Base64 content on Windows systems. It leverages Sysmon EventID 15, which captures file creation events, including the content of named streams. ADS can conceal malicious payloads, making them significant for SOC monitoring. This detection identifies hidden streams that may contain executables, scripts, or configuration data, often used by malware to evade detection. If confirmed malicious, this activity could allow attackers to hide and execute payloads, persist in the environment, or access sensitive information without being easily detected.

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1564.004` Hide Artifacts: NTFS File Attributes

Event coverage

Provider	Event ID	Title
Sysmon	15	FileCreateStreamHash

Stages and Predicates

Stage 1: `search`

search NOT Contents IN ("-", "[ZoneTransfer]*") EventCode=15

Stage 2: `regex`

regex match(TargetFilename, "(?<!\/)\b\w+(\.\w+)?:\w+(\.\w+)?$")

Stage 3: `regex`

regex match(Contents, "(?:[A-Za-z0-9+/]{128,})(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$")

Stage 4: `eval`

eval ... using (Contents, Hash, Image, MD5, SHA1, SHA256, TargetFilename)

Stage 5: `stats`

stats BY dest, dvc, file_hash, file_name, file_path, process, process_exec, process_guid, process_id, process_name, process_path, signature, signature_id, user_id, vendor_product, Contents, Image, base64

Stage 6: `search`

search `macro`

Stage 7: `fields`

fields base64

Stage 8: `rename`

rename

Stage 9: `search`

search

Stage 10: `search`

search

Stage 11: `search`

search `macro`

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

Stage	Field	Kind	Excluded values
1	`Contents`	in	`"-"`, `"[ZoneTransfer]*"`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Contents`	regex_match	`"(?:[A-Za-z0-9+/]{128,})(?:[A-Za-z0-9+/]{2}==\|[A-Za-z0-9+/]{3}=)?$"`
`EventCode`	eq	`15` corpus 3 (splunk 3)
`TargetFilename`	regex_match	`"(?<!\/)\b\w+(\.\w+)?:\w+(\.\w+)?$"` corpus 2 (splunk 2)

Windows Alternate DataStream - Base64 Content

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: search

Stage 2: regex

Stage 3: regex

Stage 4: eval

Stage 5: stats

Stage 6: search

Stage 7: fields

Stage 8: rename

Stage 9: search

Stage 10: search

Stage 11: search