Rule Documentation: Defense Evasion - Root Directory ADS Creation (Windows)
AD Sroot Directory File Creation
Query
DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath matches regex @"(?i)^[A-Z]:\\:.+"About this query
Rule Documentation: Defense Evasion - Root Directory ADS Creation (Windows)
Description
Detects attempts to create Alternate Data Streams (ADS) in root directories of Windows drives. https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/ https://github.com/elastic/detection-rules/blob/6150f222b2ce2a26e0874e96ab31479b1e4283a4/rules/windows/defense_evasion_root_dir_ads_creation.toml
Detection Logic
- Filters
DeviceFileEventsfor events related to file creation. - Specifically looks for events where the folder path matches the pattern of a root directory on a Windows drive and contains a colon (
:) followed by a dollar sign ($) to indicate an ADS creation attempt.
Tags
- Defense Evasion
Search Query
Explanation
This query detects attempts to create Alternate Data Streams (ADS) in root directories of Windows drives by filtering file creation events and looking for folder paths with a colon and dollar sign.
Details

Ali Hussein
Released: May 16, 2024
Tables
DeviceFileEvents
Keywords
DeviceFileEventsActionTypeFileCreatedFolderPathmatchesregexA-ZcolondollarADSCreationWindowsDrive
Operators
where FolderPath contains ":$"