Suspicious ADS File Creation

Detect suspicious creation or modification of NTFS Alternate Data Streams.

id:6624038b-05e6-4f9b-9830-346af38de870
categories:detect
confidence:medium
os:windows
created:11/30/2018
updated:11/30/2018

MITRE ATT&CK™ Mapping

tactics:Defense Evasion
techniques:T1096 NTFS File Attributes

Query

file where
  file_name == "*:*" and file_name != "*:Zone.Identifier" and
  (file_name == "*.dll*" or file_name == "*.exe*")

Contributors