From 54b2f7582e2f4a61a152e7febac79491f55c5878 Mon Sep 17 00:00:00 2001
From: Nic <nicpenning@gmail.com>
Date: Tue, 7 Feb 2023 06:40:42 -0600
Subject: [PATCH] Update defense_evasion_unusual_ads_file_creation.toml (#2522)

---
 rules/windows/defense_evasion_unusual_ads_file_creation.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml
index 506cdbfef..74620b0cd 100644
--- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml
+++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml
@@ -33,7 +33,7 @@ Attackers can abuse these alternate data streams to hide malicious files, string
 #### Possible investigation steps
 
 - Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:
-  - `Get-Content -file C:\\Path\\To\\file.exe -stream ADSname`
+  - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`
 - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
 - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.
 - Investigate other alerts associated with the user/host during the past 48 hours.