NTFS Alternate Data Stream

About the rule

Rule Type

Standard

Rule Description

NTFS Alternate Data Streams (ADS) allow files or data to be stored in a hidden stream alongside a legitimate file. While this was originally designed for compatibility with Apple’s HFS, attackers exploit ADS to hide scripts, payloads, or commands without affecting the visible content of a file.

In PowerShell, commands like Set-Content or Add-Content with the -Stream parameter can be used to write hidden data into these alternate streams, making it easy to conceal malicious code during post-exploitation or persistence phases.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Execution of PowerShell dropper → Hidden payload written to ADS using Add-Content → Execution of hidden payload via scheduled task → C2 communication established

Impact

• Stealthy file storage
• Defense evasion
• Malware execution

Rule Requirement

Prerequisites

Logon to Group Policy Management Console with administrative privileges and enable Module Logging for Windows PowerShell in the Group Policy Management Editor. Ensure to enter * in the Module Names window to record all modules. Similarly enable PowerShell Script Block Logging for Windows PowerShell. Finally, create a new registry key "Microsoft-Windows-Powershell/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\".

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Execution: Command and Scripting Interpreter - PowerShell (T1059.001), Defense Evasion: Hide Artifacts - NTFS File Attributes (T1564.004)

Security standard:

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.

When this rule is triggered, you're notified of the execution of PowerShell commands like Set-Content or Add-Content along with the -Stream parameter. This enables you to monitor runtime environments like PowerShell.

Author

Sami Ruohonen

Future actions

Known False Positives

This rule might be triggered by legitimate administrative scripts or backup utilities that use ADS for metadata storage or tracking.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Audit PowerShell executions: Enable PowerShell script block logging to monitor command-level activity.

Mitigation