Detectionmediumtest
Hidden Executable In NTFS Alternate Data Stream
Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems)Created Sun Jun 03Updated Fri Feb 10b69888d4-380c-45ce-9cf9-d9ce46e67821windows
Log Source
WindowsAlternate Data Stream
ProductWindows← raw: windows
CategoryAlternate Data Stream← raw: create_stream_hash
Definition
Requirements: Sysmon or equivalent configured with Imphash logging
Detection Logic
Detection Logic2 selectors
detection:
selection:
Hash|contains: 'IMPHASH='
filter_main_null:
Hash|contains: 'IMPHASH=00000000000000000000000000000000'
condition: selection and not 1 of filter_main_*False Positives
This rule isn't looking for any particular binary characteristics. As legitimate installers and programs were seen embedding hidden binaries in their ADS. Some false positives are expected from browser processes and similar.
References
MITRE ATT&CK
Rule Metadata
Rule ID
b69888d4-380c-45ce-9cf9-d9ce46e67821
Status
test
Level
medium
Type
Detection
Created
Sun Jun 03
Modified
Fri Feb 10
Path
rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml
Raw Tags
attack.defense-evasionattack.s0139attack.t1564.004