rules/windows/powershell/powershell_ntfs_ads_access.yml

title: NTFS Alternate Data Stream
id: 8c521530-5169-495d-a199-0a3a881ad24e
status: experimental
description: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
references:
    - http://www.powertheshell.com/ntfsstreams/
tags:
    - attack.defense_evasion
    - attack.t1564.004
    - attack.t1096  # an old one
    - attack.execution
    - attack.t1059.001
    - attack.t1086  # an old one
author: Sami Ruohonen
date: 2018/07/24
modified: 2020/08/24
logsource:
    product: windows
    service: powershell
    definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
    keyword1:
        - "set-content"
        - "add-content"
    keyword2:
        - "-stream"
    condition: keyword1 and keyword2
falsepositives:
    - unknown
level: high
Create powershell_NTFS_Alternate_Data_Streams 2018-07-24 19:49:08 +02:00			`title: NTFS Alternate Data Stream`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 8c521530-5169-495d-a199-0a3a881ad24e`
Create powershell_NTFS_Alternate_Data_Streams 2018-07-24 19:49:08 +02:00			`status: experimental`
Update powershell_NTFS_Alternate_Data_Streams 2018-07-26 08:54:08 -07:00			`description: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.`
Create powershell_NTFS_Alternate_Data_Streams 2018-07-24 19:49:08 +02:00			`references:`
			`- http://www.powertheshell.com/ntfsstreams/`
			`tags:`
ATT&CK tagging QA 2018-09-20 12:44:44 +02:00			`- attack.defense_evasion`
Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00			`- attack.t1564.004`
windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-24 00:01:50 +00:00			`- attack.t1096 # an old one`
			`- attack.execution`
			`- attack.t1059.001`
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes 2020-08-25 23:51:22 +00:00			`- attack.t1086 # an old one`
Update powershell_NTFS_Alternate_Data_Streams 2018-07-24 20:03:07 +02:00			`author: Sami Ruohonen`
fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00			`date: 2018/07/24`
att&ck tags review: windows/powershell, windows/process_access, windows/network_connection 2020-08-24 23:31:26 +00:00			`modified: 2020/08/24`
Create powershell_NTFS_Alternate_Data_Streams 2018-07-24 19:49:08 +02:00			`logsource:`
			`product: windows`
			`service: powershell`
Replace "logsource: description" with "definition" to match the specs 2018-11-15 09:00:06 +03:00			`definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'`
Create powershell_NTFS_Alternate_Data_Streams 2018-07-24 19:49:08 +02:00			`detection:`
Changes 2018-07-25 07:35:59 +02:00			`keyword1:`
Added quotation marks 2018-07-26 18:10:21 +02:00			`- "set-content"`
Add 'Add-Content' to powershell_ntfs_ads_access 2020-05-13 11:57:10 +02:00			`- "add-content"`
Changes 2018-07-25 07:35:59 +02:00			`keyword2:`
Added quotation marks 2018-07-26 18:10:21 +02:00			`- "-stream"`
Changes 2018-07-25 07:35:59 +02:00			`condition: keyword1 and keyword2`
Create powershell_NTFS_Alternate_Data_Streams 2018-07-24 19:49:08 +02:00			`falsepositives:`
			`- unknown`
			`level: high`