Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Creation Of a Suspicious ADS File Outside a Browser Download

Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Sat Oct 22Updated Mon Jun 12573df571-a223-43bc-846e-3f98da481ecawindows
Log Source
WindowsAlternate Data Stream
ProductWindows← raw: windows
CategoryAlternate Data Stream← raw: create_stream_hash
Detection Logic
Detection Logic14 selectors
detection:
    selection:
        Contents|startswith: '[ZoneTransfer]  ZoneId=3'
        TargetFilename|endswith: ':Zone.Identifier'
        TargetFilename|contains:
            - '.exe'
            - '.scr'
            - '.bat'
            - '.cmd'
            - '.docx'
            - '.hta'
            - '.jse'
            - '.lnk'
            - '.pptx'
            - '.ps'
            - '.reg'
            - '.sct'
            - '.vb'
            - '.wsc'
            - '.wsf'
            - '.xlsx'
    filter_optional_brave:
        Image|endswith: '\brave.exe'
    filter_optional_chrome:
        Image:
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
    filter_optional_firefox:
        Image:
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
    filter_optional_ie:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
    filter_optional_maxthon:
        Image|endswith: '\maxthon.exe'
    filter_optional_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
        - Image:
              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    filter_optional_edge_2:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_optional_opera:
        Image|endswith: '\opera.exe'
    filter_optional_safari:
        Image|endswith: '\safari.exe'
    filter_optional_seamonkey:
        Image|endswith: '\seamonkey.exe'
    filter_optional_vivaldi:
        Image|endswith: '\vivaldi.exe'
    filter_optional_whale:
        Image|endswith: '\whale.exe'
    filter_optional_snipping_tool:
        Image|startswith: 'C:\Program Files\WindowsApps\Microsoft.ScreenSketch_'
        Image|endswith: '\SnippingTool\SnippingTool.exe'
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains|all:
            - '\AppData\Local\Packages\Microsoft.ScreenSketch_'
            - '\TempState\Screenshot '
        TargetFilename|endswith: '.png:Zone.Identifier'
    condition: selection and not 1 of filter_optional_*
False Positives

Other legitimate browsers not currently included in the filter (please add them)

Legitimate downloads via scripting or command-line tools (Investigate to determine if it's legitimate)

References
1
Resolving title…
bleepingcomputer.com
MITRE ATT&CK
Rule Metadata
Rule ID
573df571-a223-43bc-846e-3f98da481eca
Status
test
Level
medium
Type
Detection
Created
Sat Oct 22
Modified
Mon Jun 12
Author
François Hubaut
Path
rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml
Raw Tags
attack.defense-evasion
View on GitHub