T1564.004

NTFS File Attributes

Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every NTFS partition contains a Master File Table (MFT) with records for every file/directory. Files in the MFT can contain multiple data streams — the primary :$DATA stream and additional Alternate Data Streams (ADS). Adversaries use ADS to hide payloads (e.g., storing malware in 'legitimate.txt:hidden_payload.exe') since standard Windows tools don't show ADS content. The Regin rootkit, APT32, Valak, and LoJax have all used NTFS ADS for payload storage and evasion.

Microsoft Sentinel / Defender

kusto

DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine matches regex @":\w+\.\w+"
   or ProcessCommandLine has "streams" or ProcessCommandLine has "/ads"
   or (FileName =~ "powershell.exe" and ProcessCommandLine has "Get-Item" and ProcessCommandLine has "Stream")
   or (FileName =~ "powershell.exe" and ProcessCommandLine has "Add-Content" and ProcessCommandLine has ":")
| extend ADSWrite = ProcessCommandLine matches regex @"echo.+>.*:\w+"
| extend PowerShellADS = ProcessCommandLine has_any ("Get-Item", "Set-Content", "Add-Content") and ProcessCommandLine has ":"
| extend StreamsUtil = ProcessCommandLine has_any ("streams.exe", "streams64.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName,
         ADSWrite, PowerShellADS, StreamsUtil
| sort by Timestamp desc
union (
  DeviceFileEvents
  | where Timestamp > ago(24h)
  | where FileName contains ":"
  | where ActionType in ("FileCreated", "FileModified")
  | project Timestamp, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName, ActionType
  | sort by Timestamp desc
)

high severity medium confidence

Data Sources

File: File Creation File: File Modification Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Zone.Identifier ADS stream automatically added by Windows on files downloaded from the internet (Mark of the Web) — this is the most common legitimate ADS
Some legitimate software that uses ADS for storing metadata or licensing information
Security tools and forensic utilities that read or write ADS for analysis purposes
macOS compatibility layers that use resource forks stored as ADS streams on NTFS

Elastic Security (EQL)

eql

any where
  (
    /* Sysmon EventCode 15 - FileCreateStreamHash: non-standard ADS stream written to disk */
    event.code == "15" and
    file.path : "*:*" and
    not file.path : "*:Zone.Identifier*"
  ) or
  (
    /* Process creation events with ADS manipulation patterns */
    event.category : "process" and event.type : "start" and
    (
      /* PowerShell ADS read/write via built-in cmdlets */
      (process.name : ("powershell.exe", "pwsh.exe") and
       process.command_line : ("*Get-Item*:*", "*Set-Content*:*", "*Add-Content*:*", "*Get-Content*:*") and
       not process.command_line : "*Zone.Identifier*") or
      /* cmd.exe echo redirect to ADS: echo payload > legit.txt:hidden.exe */
      (process.name : "cmd.exe" and
       process.command_line : ("*echo*:*.*", "*> *:*.*") and
       not process.command_line : "*Zone.Identifier*") or
      /* Sysinternals Streams utility for ADS enumeration */
      process.name : ("streams.exe", "streams64.exe") or
      /* Generic /ads or -ads flags used by ADS-aware tools */
      (process.command_line : ("*/ads*", "*-ads*") and
       not process.command_line : "*Zone.Identifier*")
    )
  )

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent (Windows integration)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* winlogbeat-*

False Positives

Sysinternals Streams.exe used legitimately by IT administrators and incident responders to audit or remove ADS from corporate file servers and endpoints during maintenance or forensic activities
PowerShell automation scripts referencing drive letter paths (e.g., 'C:\path\file') or UNC paths that contain colons and inadvertently match ADS detection patterns in the command line
Backup and archival software such as Robocopy with /COPYALL or enterprise backup agents (Veeam, Commvault) that preserve and restore ADS metadata, triggering FileCreateStreamHash events with custom stream names
Security scanning tools and DLP agents that enumerate or inspect ADS content as part of endpoint compliance checks, generating both process and file events matching these patterns
Visual Studio, MSBuild, and other developer toolchains that may use NTFS streams for build artifact tracking or project metadata on developer workstations

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip AS source_ip,
  username AS user_name,
  QIDNAME(qid) AS event_name,
  LOGSOURCENAME(logsourceid) AS log_source,
  LOGSOURCETYPEID(logsourceid) AS log_source_type,
  UTF8(payload) AS raw_event
FROM events
WHERE
  starttime > (CURRENT_TIMESTAMP - 86400000)
  AND LOGSOURCETYPEID IN (12, 13)
  AND (
    /* Sysmon EventCode 15: FileCreateStreamHash - ADS stream creation */
    (
      (QIDNAME(qid) ILIKE '%FileCreateStreamHash%'
       OR QIDNAME(qid) ILIKE '%Sysmon%15%')
      AND UTF8(payload) MATCHES '.*:[A-Za-z0-9_-]+\\.[A-Za-z0-9]+.*'
      AND UTF8(payload) NOT ILIKE '%Zone.Identifier%'
    )
    OR
    /* Sysmon EventCode 1 / Windows EventCode 4688: Process creation with ADS patterns */
    (
      (QIDNAME(qid) ILIKE '%Process Create%'
       OR QIDNAME(qid) ILIKE '%ProcessCreate%'
       OR QIDNAME(qid) ILIKE '%4688%')
      AND (
        /* PowerShell ADS cmdlets */
        (UTF8(payload) ILIKE '%powershell.exe%'
         AND (
           UTF8(payload) ILIKE '%Get-Item%'
           OR UTF8(payload) ILIKE '%Set-Content%'
           OR UTF8(payload) ILIKE '%Add-Content%'
         )
         AND UTF8(payload) NOT ILIKE '%Zone.Identifier%'
         AND UTF8(payload) LIKE '%:%')
        /* Sysinternals Streams utility */
        OR UTF8(payload) ILIKE '%streams.exe%'
        OR UTF8(payload) ILIKE '%streams64.exe%'
        /* ADS enumeration flags */
        OR UTF8(payload) ILIKE '% /ads%'
        OR UTF8(payload) ILIKE '% -ads%'
        /* cmd.exe echo redirect to ADS */
        OR UTF8(payload) MATCHES '.*echo.*>.*:[A-Za-z0-9_]+\\.[A-Za-z0-9]+.*'
      )
    )
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log (LOGSOURCETYPEID 13) Sysmon forwarded via Windows Event Log (LOGSOURCETYPEID 12)

Required Tables

events

False Positives

Zone.Identifier ADS streams automatically created by SmartScreen, web browsers, and Windows Attachment Manager on downloaded files are excluded from the FileCreateStreamHash branch but adjacent events may appear in context
IT administrators using Sysinternals Streams.exe for ADS auditing on file servers, digital forensics investigations, or pre-incident response baseline enumeration tasks
PowerShell scripts using Get-Item or Set-Content with drive letter paths (e.g., 'C:\Windows\...') or registry provider paths that contain colons as part of the path syntax rather than as ADS stream delimiters

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*winlogbeat*)
(EventCode=15 OR EventCode=1)
| parse regex "EventCode(?:Id)?[=: ]+(?P<EventCode>\\d+)" nodrop
| parse regex "Image[=: ]+(?P<Image>[^\r\n]+)" nodrop
| parse regex "CommandLine[=: ]+(?P<CommandLine>[^\r\n]+)" nodrop
| parse regex "TargetFilename[=: ]+(?P<TargetFilename>[^\r\n]+)" nodrop
| parse regex "User(?:Name)?[=: ]+(?P<User>[^\r\n]+)" nodrop
| parse regex "Computer(?:Name)?[=: ]+(?P<Computer>[^\r\n]+)" nodrop
| parse regex "Hashes[=: ]+(?P<Hashes>[^\r\n]+)" nodrop
| parse regex "ParentImage[=: ]+(?P<ParentImage>[^\r\n]+)" nodrop
| where (
    /* Sysmon Event 15: ADS file stream hash — non-Zone.Identifier stream written */
    (EventCode = "15"
     AND TargetFilename matches /:[a-zA-Z0-9_\-]+\.[a-zA-Z0-9]+$/
     AND !(TargetFilename matches /:Zone\.Identifier/))
    OR
    /* Sysmon Event 1: Process creation with ADS manipulation */
    (EventCode = "1"
     AND (
       Image matches /(?i)(streams|streams64)\.exe$/
       OR CommandLine matches /(?i)\/ads/
       OR (
         Image matches /(?i)(powershell|pwsh)\.exe$/
         AND (
           CommandLine matches "Get-Item"
           OR CommandLine matches "Set-Content"
           OR CommandLine matches "Add-Content"
         )
         AND CommandLine contains ":"
         AND !(CommandLine matches /:Zone\.Identifier/)
       )
       OR (
         Image matches /(?i)cmd\.exe$/
         AND CommandLine matches /echo.+>.*:[a-zA-Z0-9_]+\.[a-zA-Z0-9]+/
       )
     ))
  )
| eval DetectionType = if(EventCode = "15", "ADS_FileStream_Created",
    if(Image matches /(?i)(streams|streams64)\.exe$/, "ADS_StreamsUtility",
    if(Image matches /(?i)(powershell|pwsh)\.exe$/, "ADS_PowerShell",
    "ADS_CmdRedirect")))
| fields _time, Computer, User, TargetFilename, CommandLine, Image, ParentImage, EventCode, DetectionType, Hashes
| sort by _time desc

high severity high confidence

Data Sources

Windows Sysmon (via Sumo Logic Windows Source or Installed Collector) Windows Event Log Security Source

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon* _sourceCategory=*winlogbeat*

False Positives

Security endpoint agents (CrowdStrike, Carbon Black, Defender) that enumerate or interact with NTFS ADS during real-time scanning may generate EventCode 15 events with custom stream names on scanned files
Sysinternals Streams.exe legitimately run by IT security teams for ADS enumeration or cleanup operations on file servers or during incident response investigations
PowerShell DSC (Desired State Configuration) or configuration management scripts that use Set-Content or Add-Content with colon-containing path expressions for system provisioning tasks

Google Chronicle / SecOps

yaral

rule ntfs_alternate_data_stream_detection {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects NTFS Alternate Data Stream (ADS) abuse for payload hiding and defense evasion (T1564.004). Covers ADS file creation, PowerShell ADS cmdlets, cmd.exe echo redirects, and Sysinternals Streams utility. Excludes Zone.Identifier streams."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1564.004"
    reference = "https://attack.mitre.org/techniques/T1564/004/"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    (
      /* FILE_CREATION with ADS notation: file.txt:hidden_payload.exe */
      (
        $e.metadata.event_type = "FILE_CREATION" and
        strings.contains($e.target.file.full_path, ":") and
        not re.regex($e.target.file.full_path, `:Zone\.Identifier`)
      )
      or
      /* Sysinternals Streams.exe: ADS enumeration or removal utility */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH" and
        re.regex($e.target.process.file.full_path, `(?i)(streams|streams64)\.exe$`)
      )
      or
      /* PowerShell ADS read/write: Get-Item, Set-Content, Add-Content with colon path */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH" and
        re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(Get-Item|Set-Content|Add-Content|Get-Content)`) and
        strings.contains($e.target.process.command_line, ":") and
        not re.regex($e.target.process.command_line, `:Zone\.Identifier`)
      )
      or
      /* cmd.exe echo redirect to ADS: echo data > file.txt:stream.exe */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH" and
        re.regex($e.target.process.file.full_path, `(?i)cmd\.exe$`) and
        re.regex($e.target.process.command_line, `echo.+>.*:[a-zA-Z0-9_]+\.[a-zA-Z0-9]+`)
      )
      or
      /* Generic process: command line references ADS stream notation */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH" and
        re.regex($e.target.process.command_line, `:[a-zA-Z0-9_\-]+\.[a-zA-Z0-9]+`) and
        not re.regex($e.target.process.command_line, `:Zone\.Identifier`) and
        not re.regex($e.target.process.command_line, `(?i)^[a-zA-Z]:\\\\`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM (via Chronicle Forwarder or direct ingestion) Windows Sysmon forwarded via Chronicle Forwarder Microsoft Defender for Endpoint (via Chronicle M365 ingestion)

Required Tables

UDM Events (FILE_CREATION, PROCESS_LAUNCH)

False Positives

Zone.Identifier ADS streams written by SmartScreen, web browsers (Chrome, Edge, Firefox), and Windows Attachment Manager on all downloaded files — already excluded from FILE_CREATION and command line branches
Corporate DLP or CASB solutions (Symantec DLP, Netskope) that scan or annotate ADS content for data classification purposes, creating custom-named streams on sensitive files as part of normal policy enforcement
Legitimate IT PowerShell automation referencing Get-Item on absolute paths where the colon in drive letters (C:\, D:\) incorrectly matches the generic ADS path filter — mitigated by the drive-letter exclusion regex in the last branch

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| (
    CommandLine = /:[a-zA-Z0-9_\-]+\.[a-zA-Z0-9]+/
    OR ImageFileName = /(?i)(streams|streams64)\.exe$/
    OR (
      ImageFileName = /(?i)(powershell|pwsh)\.exe$/
      AND CommandLine = /(?i)(Get-Item|Set-Content|Add-Content|Get-Content)/
      AND CommandLine = /:/
    )
    OR (
      ImageFileName = /(?i)cmd\.exe$/
      AND CommandLine = /echo.+>.*:[a-zA-Z0-9_]+\.[a-zA-Z0-9]+/
    )
  )
| CommandLine != /Zone\.Identifier/
| CommandLine != /(?i)^[a-zA-Z]:\\\\/
| case {
    ImageFileName = /(?i)(streams|streams64)\.exe$/ | ADSType := "StreamsUtility";
    ImageFileName = /(?i)(powershell|pwsh)\.exe$/ AND CommandLine = /(?i)(Get-Item|Set-Content|Add-Content)/ | ADSType := "PowerShellADS";
    ImageFileName = /(?i)cmd\.exe$/ AND CommandLine = /echo.+>.*:[a-zA-Z0-9_]+\.[a-zA-Z0-9]+/ | ADSType := "CmdEchoADS";
    * | ADSType := "ADSCommandPattern";
  }
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentImageFileName, ParentCommandLine, ADSType, UserSid], limit=1000)
| sort(@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2 events) Falcon Data Replicator (FDR) streaming to LogScale

Required Tables

ProcessRollup2

False Positives

Zone.Identifier ADS streams created by SmartScreen and web browsers on all downloaded files are excluded by the CommandLine filter, but parent process context may still surface downloads in correlated queries
IT security teams running Sysinternals Streams.exe during forensic investigations, endpoint ADS audits, or incident response activities on compromised systems — correlate with parent process and user context to validate
PowerShell-based configuration management and DevOps tooling (Ansible WinRM tasks, Chef DSC resources, Puppet manifests) using Set-Content or Add-Content in scripts where the colon in Windows registry provider paths (HKLM:\) matches ADS pattern filters

Last updated: 2026-04-21 Research depth: deep

References (5)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1564.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

NTFS File Attributes

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections