Windows Alternate DataStream - Process Execution

name: Windows Alternate DataStream - Process Execution
id: 30c32c5c-41fe-45db-84fe-275e4320da3f
version: 13
creation_date: '2024-01-10'
modification_date: '2026-06-04'
author: Steven Dick
status: production
type: TTP
description: The following analytic detects when a process attempts to execute a file from within an NTFS file system alternate data stream. This detection leverages process execution data from sources like Windows process monitoring or Sysmon Event ID 1, focusing on specific processes known for such behavior. This activity is significant because alternate data streams can be used by threat actors to hide malicious code, making it difficult to detect. If confirmed malicious, this could allow an attacker to execute hidden code, potentially leading to unauthorized actions and further compromise of the system.
data_source:
    - Windows Event Log Security 4688
    - Sysmon EventID 1
search: |-
    | tstats count min(_time) as firstTime max(_time) as lastTime values(Processes.process_current_directory) as directory
    from datamodel=Endpoint.Processes where
    Processes.parent_process_name != "unknown"
    Processes.process_name IN (
        "appvlp.exe",
        "bitsadmin.exe",
        "control.exe",
        "cscript.exe",
        "forfiles.exe",
        "ftp.exe",
        "mavinject.exe",
        "mshta.exe",
        "powershell_ise.exe",
        "powershell.exe",
        "pwsh.exe",
        "regini.exe",
        "regsvr32.exe",
        "rundll32.exe",
        "sc.exe",
        "wmic.exe",
        "wscript.exe"
    )
    
    by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
       Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
       Processes.parent_process_name Processes.parent_process_path Processes.process
       Processes.process_exec Processes.process_guid Processes.process_hash
       Processes.process_id Processes.process_integrity_level Processes.process_name
       Processes.process_path Processes.user Processes.user_id Processes.vendor_product
    
    | `drop_dm_object_name(Processes)`
    | regex process="(\b)\w+(\.\w+)?:\w+(\.\w{2,4})(?!\.)(\b|\s|&)"
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `windows_alternate_datastream___process_execution_filter`
how_to_implement: Target environment must ingest process execution data sources such as Windows process monitoring and/or Sysmon EventID 1.
known_false_positives: False positives may be generated by process executions within the commandline, regex has been provided to minimize the possibilty.
references:
    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
    - https://car.mitre.org/analytics/CAR-2020-08-001/
    - https://blogs.juniper.net/en-us/threat-research/bitpaymer-ransomware-hides-behind-windows-alternate-data-streams
    - https://blog.netwrix.com/2022/12/16/alternate_data_stream/
drilldown_searches:
    - name: View the detection results for - "$dest$" and "$user$"
      search: '%original_detection_search% | search  dest = "$dest$" user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$" and "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: The $process_name$ process was executed by $user$ using data from an NTFS alternate data stream.
    entity:
        field: user
        type: user
        score: 50
intermediate_findings:
    entities:
        - field: dest
          type: system
          score: 50
          message: The $process_name$ process was executed by $user$ using data from an NTFS alternate data stream.
threat_objects:
    - field: process_name
      type: process_name
analytic_story:
    - Compromised Windows Host
    - Windows Defense Evasion Tactics
asset_type: Endpoint
mitre_attack_id:
    - T1564.004
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse_sysmon.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog
      test_type: unit