From 9421ccfad742e73d375ccda32abe361e2780bc10 Mon Sep 17 00:00:00 2001
From: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Date: Wed, 10 Feb 2021 09:28:25 -0500
Subject: [PATCH] [New Rule] Unusual File Creation - Alternate Data Stream
 (#902)

* Create defense_evasion_unusual_ads_file_creation.toml

* lint

* spacing

* add logs-windows.*

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* lint

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
---
 ...nse_evasion_unusual_ads_file_creation.toml | 79 +++++++++++++++++++
 1 file changed, 79 insertions(+)
 create mode 100644 rules/windows/defense_evasion_unusual_ads_file_creation.toml

diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml
new file mode 100644
index 000000000..556d2b18c
--- /dev/null
+++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml
@@ -0,0 +1,79 @@
+[metadata]
+creation_date = "2021/01/21"
+maturity = "production"
+updated_date = "2021/01/21"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files
+and sometimes done by adversaries to hide malware.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+language = "eql"
+license = "Elastic License"
+name = "Unusual File Creation - Alternate Data Stream"
+risk_score = 47
+rule_id = "71bccb61-e19b-452f-b104-79a60e546a95"
+severity = "medium"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+type = "eql"
+
+query = '''
+file where event.type == "creation" and
+  file.path : "C:\\*:*" and
+  not file.path : "C:\\*:zone.identifier*" and
+  file.extension :
+    (
+      "pdf",
+      "dll",
+      "png",
+      "exe",
+      "dat",
+      "com",
+      "bat",
+      "cmd",
+      "sys",
+      "vbs",
+      "ps1",
+      "hta",
+      "txt",
+      "vbe",
+      "js",
+      "wsh",
+      "docx",
+      "doc",
+      "xlsx",
+      "xls",
+      "pptx",
+      "ppt",
+      "rtf",
+      "gif",
+      "jpg",
+      "png",
+      "bmp",
+      "img",
+      "iso"
+    )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1564"
+name = "Hide Artifacts"
+reference = "https://attack.mitre.org/techniques/T1564/"
+[[rule.threat.technique.subtechnique]]
+id = "T1564.004"
+name = "NTFS File Attributes"
+reference = "https://attack.mitre.org/techniques/T1564/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+