Rule Content
- title: Executable in ADS
id: b69888d4-380c-45ce-9cf9-d9ce46e67821
status: experimental
description: Detects the creation of an ADS data stream that contains an executable
(non-empty imphash)
references:
- https://twitter.com/0xrawsec/status/1002478725605273600?s=21
tags:
- attack.defense_evasion
- attack.t1027
- attack.s0139
author: Florian Roth, @0xrawsec
date: 2018/06/03
logsource:
product: windows
service: sysmon
definition: 'Requirements: Sysmon config with Imphash logging activated'
category: null
detection:
selection:
EventID: 15
filter:
Imphash: '00000000000000000000000000000000'
condition: selection and not filter
fields:
- TargetFilename
- Image
falsepositives:
- unknown
level: critical