Detection rules › Splunk
Windows Alternate DataStream - Executable Content
The following analytic detects the writing of data with an IMPHASH value to an Alternate Data Stream (ADS) in the NTFS file system. It leverages Sysmon Event ID 15 and regex to identify files with a Portable Executable (PE) structure. This activity is significant as it may indicate a threat actor staging malicious code in hidden areas for persistence or future execution. If confirmed malicious, this could allow attackers to execute hidden code, maintain persistence, or escalate privileges within the environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1564.004 Hide Artifacts: NTFS File Attributes |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 15 | FileCreateStreamHash |
Stages and Predicates
Stage 1: search
search EventCode=15 IMPHASH!=00000000000000000000000000000000
Stage 2: regex
regex match(TargetFilename, "(?<!\/)\b\w+(\.\w+)?:\w+(\.\w+)?$")
Stage 3: eval
eval ... using (Hash, Image, MD5, SHA1, SHA256, TargetFilename)
Stage 4: stats
stats BY dest, dvc, file_hash, file_name, file_path, process_exec, process_guid, process_id, process_name, process_path, signature, signature_id, user_id, vendor_product, Contents, Image
Stage 5: search
search
Stage 6: search
search
Stage 7: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
IMPHASH | ne |
|
TargetFilename | regex_match |
|