From 34cea547503fbe0dbc9cfb7ebce3ca1ffb8c21fb Mon Sep 17 00:00:00 2001
From: Scoubi <Scoubi@users.noreply.github.com>
Date: Wed, 11 Oct 2023 07:06:28 -0500
Subject: [PATCH] Merge PR #4399 From @Scoubi - New Rules Related To
 INDEX_ALLOCATION Potential Abuse

new: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
new: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
---
 ...t_win_susp_hidden_dir_index_allocation.yml | 30 +++++++++++++++++++
 ...n_win_susp_hidden_dir_index_allocation.yml | 30 +++++++++++++++++++
 2 files changed, 60 insertions(+)
 create mode 100644 rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml
 create mode 100644 rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml

diff --git a/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml b/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml
new file mode 100644
index 000000000..fee6855d2
--- /dev/null
+++ b/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml
@@ -0,0 +1,30 @@
+title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
+id: a8f866e1-bdd4-425e-a27a-37619238d9c7
+related:
+    - id: 0900463c-b33b-49a8-be1d-552a3b553dae
+      type: similar
+status: experimental
+description: |
+    Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "cmd.exe"
+references:
+    - https://twitter.com/pfiatde/status/1681977680688738305
+    - https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/
+    - https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/
+    - https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation
+    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
+author: Scoubi (@ScoubiMtl)
+date: 2023/10/09
+tags:
+    - attack.defense_evasion
+    - attack.t1564.004
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        # Note: Both Sysmon and ETW are unable to log the presence of such streams in the CommandLine. But EDRs such as Crowdstrike are able to use e.g. CMD console history. Users are advised to test this before usage
+        TargetFilename|contains: '::$index_allocation'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml b/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml
new file mode 100644
index 000000000..4bbb9aa23
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml
@@ -0,0 +1,30 @@
+title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
+id: 0900463c-b33b-49a8-be1d-552a3b553dae
+related:
+    - id: a8f866e1-bdd4-425e-a27a-37619238d9c7
+      type: similar
+status: experimental
+description: |
+    Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "cmd.exe"
+references:
+    - https://twitter.com/pfiatde/status/1681977680688738305
+    - https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/
+    - https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/
+    - https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation
+    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
+author: Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl)
+date: 2023/10/09
+tags:
+    - attack.defense_evasion
+    - attack.t1564.004
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        # Note: Both Sysmon and ETW are unable to log the presence of such stram in the CommandLine. But EDRs such as Crowdstrike are able to using for example CMD console history. Users are advised to test this before usage
+        CommandLine|contains: '::$index_allocation'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: medium