Detectionmediumtest

Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream

Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

ScoubiCreated Mon Oct 09a8f866e1-bdd4-425e-a27a-37619238d9c7windows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        # Note: Both Sysmon and ETW are unable to log the presence of such streams in the CommandLine. But EDRs such as Crowdstrike are able to use e.g. CMD console history. Users are advised to test this before usage
        TargetFilename|contains: '::$index_allocation'
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1564.004 · NTFS File Attributes

Related Rules

SimilarDetectionmedium

Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI

Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

a8f866e1-bdd4-425e-a27a-37619238d9c7

Status

test

Level

medium

Type

Detection

Created

Mon Oct 09

Author

Scoubi

Path

rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml

Raw Tags

attack.defense-evasionattack.t1564.004

View on GitHub