2018-07-24 19:49:08 +02:00
|
|
|
title: NTFS Alternate Data Stream
|
2019-11-12 23:12:27 +01:00
|
|
|
id: 8c521530-5169-495d-a199-0a3a881ad24e
|
2018-07-24 19:49:08 +02:00
|
|
|
status: experimental
|
2018-07-26 08:54:08 -07:00
|
|
|
description: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
|
2018-07-24 19:49:08 +02:00
|
|
|
references:
|
|
|
|
|
- http://www.powertheshell.com/ntfsstreams/
|
|
|
|
|
tags:
|
2018-09-20 12:44:44 +02:00
|
|
|
- attack.defense_evasion
|
2018-07-24 19:49:08 +02:00
|
|
|
- attack.t1096
|
2018-07-24 20:03:07 +02:00
|
|
|
author: Sami Ruohonen
|
2018-07-24 19:49:08 +02:00
|
|
|
logsource:
|
|
|
|
|
product: windows
|
|
|
|
|
service: powershell
|
2018-11-15 09:00:06 +03:00
|
|
|
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
|
2018-07-24 19:49:08 +02:00
|
|
|
detection:
|
2018-07-25 07:35:59 +02:00
|
|
|
keyword1:
|
2018-07-26 18:10:21 +02:00
|
|
|
- "set-content"
|
2018-07-25 07:35:59 +02:00
|
|
|
keyword2:
|
2018-07-26 18:10:21 +02:00
|
|
|
- "-stream"
|
2018-07-25 07:35:59 +02:00
|
|
|
condition: keyword1 and keyword2
|
2018-07-24 19:49:08 +02:00
|
|
|
falsepositives:
|
|
|
|
|
- unknown
|
|
|
|
|
level: high
|
