Query Details

Rule Documentation: Defense Evasion - Root Directory ADS Creation (Windows)

AD Sroot Directory File Creation

Query

DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath matches regex @"(?i)^[A-Z]:\\:.+"

About this query

Rule Documentation: Defense Evasion - Root Directory ADS Creation (Windows)

Description

Detects attempts to create Alternate Data Streams (ADS) in root directories of Windows drives. https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/ https://github.com/elastic/detection-rules/blob/6150f222b2ce2a26e0874e96ab31479b1e4283a4/rules/windows/defense_evasion_root_dir_ads_creation.toml

Detection Logic

  • Filters DeviceFileEvents for events related to file creation.
  • Specifically looks for events where the folder path matches the pattern of a root directory on a Windows drive and contains a colon (:) followed by a dollar sign ($) to indicate an ADS creation attempt.

Tags

  • Defense Evasion

Search Query

Explanation

This query detects attempts to create Alternate Data Streams (ADS) in root directories of Windows drives by filtering file creation events and looking for folder paths with a colon and dollar sign.

Details

Ali Hussein profile picture

Ali Hussein

Released: May 16, 2024

Tables

DeviceFileEvents

Keywords

DeviceFileEventsActionTypeFileCreatedFolderPathmatchesregexA-ZcolondollarADSCreationWindowsDrive

Operators

where FolderPath contains ":$"

Actions

GitHub