Suspicious ADS File Creation¶
Detect suspicious creation or modification of NTFS Alternate Data Streams.
| id: | 6624038b-05e6-4f9b-9830-346af38de870 |
|---|---|
| categories: | detect |
| confidence: | medium |
| os: | windows |
| created: | 11/30/2018 |
| updated: | 11/30/2018 |
MITRE ATT&CK™ Mapping¶
| tactics: | Defense Evasion |
|---|---|
| techniques: | T1096 NTFS File Attributes |
Query¶
file where
file_name == "*:*" and file_name != "*:Zone.Identifier" and
(file_name == "*.dll*" or file_name == "*.exe*")