Name:Windows Alternate DataStream - Executable Content id:a258bf2a-34fd-4986-8086-78f506e00206 version:4 date:2024-09-30 author:Steven Dick, Teoderick Contreras, Splunk status:production type:TTP Description:The following analytic detects the writing of data with an IMPHASH value to an Alternate Data Stream (ADS) in the NTFS file system. It leverages Sysmon Event ID 15 and regex to identify files with a Portable Executable (PE) structure. This activity is significant as it may indicate a threat actor staging malicious code in hidden areas for persistence or future execution. If confirmed malicious, this could allow attackers to execute hidden code, maintain persistence, or escalate privileges within the environment. Data_source:
-Sysmon EventID 15
search:`sysmon` EventCode=15 IMPHASH!=00000000000000000000000000000000 | regex TargetFilename="(?<!\/)\b\w+(\.\w+)?:\w+(\.\w+)?$" | eval file_name = replace(TargetFilename,"(.*\\\)",""), process = Image , file_path = TargetFilename, file_hash = coalesce(SHA256,SHA1,MD5,Hash) | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by dest, process, process_guid, file_name, file_path, file_hash, IMPHASH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_alternate_datastream___executable_content_filter`
how_to_implement:Target environment must ingest Sysmon data, specifically Event ID 15, and import hashing/imphash must be enabled within Sysmon. known_false_positives:Unknown References: -https://car.mitre.org/analytics/CAR-2020-08-001/ -https://blogs.juniper.net/en-us/threat-research/bitpaymer-ransomware-hides-behind-windows-alternate-data-streams -https://twitter.com/0xrawsec/status/1002478725605273600?s=21 drilldown_searches: name:'View the detection results for - "$dest$" and "$user$"' search:'%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$" and "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Windows Defense Evasion Tactics' asset_type:Endpoint confidence:80 impact:100 message:Base64 content written to an NTFS alternate data stream by $user$, see command field for details. mitre_attack_id: - 'T1564' - 'T1564.004' observable: name:'dest' type:'Hostname' - role: - 'Victim' name:'user' type:'User' - role: - 'Victim' name:'file_name' type:'File Name' - role: - 'Attacker' name:'file_hash' type:'File Hash' - role: - 'Attacker' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'dest' - 'TargetFilename' - 'Image' - 'Contents' - 'file_hash' - 'process_guid' - 'IMPHASH' risk_score:80 security_domain:endpoint
