Detect NTFS File Attributes in Google Chronicle
Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every NTFS partition contains a Master File Table (MFT) with records for every file/directory. Files in the MFT can contain multiple data streams — the primary :$DATA stream and additional Alternate Data Streams (ADS). Adversaries use ADS to hide payloads (e.g., storing malware in 'legitimate.txt:hidden_payload.exe') since standard Windows tools don't show ADS content. The Regin rootkit, APT32, Valak, and LoJax have all used NTFS ADS for payload storage and evasion.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1564 Hide Artifacts
- Sub-technique
- T1564.004 NTFS File Attributes
- Canonical reference
- https://attack.mitre.org/techniques/T1564/004/
YARA-L Detection Query
rule ntfs_alternate_data_stream_detection {
meta:
author = "Argus Detection Engineering"
description = "Detects NTFS Alternate Data Stream (ADS) abuse for payload hiding and defense evasion (T1564.004). Covers ADS file creation, PowerShell ADS cmdlets, cmd.exe echo redirects, and Sysinternals Streams utility. Excludes Zone.Identifier streams."
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1564.004"
reference = "https://attack.mitre.org/techniques/T1564/004/"
severity = "HIGH"
confidence = "HIGH"
events:
(
/* FILE_CREATION with ADS notation: file.txt:hidden_payload.exe */
(
$e.metadata.event_type = "FILE_CREATION" and
strings.contains($e.target.file.full_path, ":") and
not re.regex($e.target.file.full_path, `:Zone\.Identifier`)
)
or
/* Sysinternals Streams.exe: ADS enumeration or removal utility */
(
$e.metadata.event_type = "PROCESS_LAUNCH" and
re.regex($e.target.process.file.full_path, `(?i)(streams|streams64)\.exe$`)
)
or
/* PowerShell ADS read/write: Get-Item, Set-Content, Add-Content with colon path */
(
$e.metadata.event_type = "PROCESS_LAUNCH" and
re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`) and
re.regex($e.target.process.command_line, `(?i)(Get-Item|Set-Content|Add-Content|Get-Content)`) and
strings.contains($e.target.process.command_line, ":") and
not re.regex($e.target.process.command_line, `:Zone\.Identifier`)
)
or
/* cmd.exe echo redirect to ADS: echo data > file.txt:stream.exe */
(
$e.metadata.event_type = "PROCESS_LAUNCH" and
re.regex($e.target.process.file.full_path, `(?i)cmd\.exe$`) and
re.regex($e.target.process.command_line, `echo.+>.*:[a-zA-Z0-9_]+\.[a-zA-Z0-9]+`)
)
or
/* Generic process: command line references ADS stream notation */
(
$e.metadata.event_type = "PROCESS_LAUNCH" and
re.regex($e.target.process.command_line, `:[a-zA-Z0-9_\-]+\.[a-zA-Z0-9]+`) and
not re.regex($e.target.process.command_line, `:Zone\.Identifier`) and
not re.regex($e.target.process.command_line, `(?i)^[a-zA-Z]:\\\\`)
)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting NTFS ADS abuse across FILE_CREATION and PROCESS_LAUNCH UDM event types. Monitors for file creation events with colon-containing paths (ADS stream notation, excluding Zone.Identifier), PowerShell ADS cmdlet invocations with stream-path arguments, cmd.exe echo-to-ADS redirects, and Sysinternals Streams utility execution. The generic process branch also catches other tools operating on ADS paths while excluding drive letter prefixes that would produce false positives.
Data Sources
Required Tables
False Positives & Tuning
- Zone.Identifier ADS streams written by SmartScreen, web browsers (Chrome, Edge, Firefox), and Windows Attachment Manager on all downloaded files — already excluded from FILE_CREATION and command line branches
- Corporate DLP or CASB solutions (Symantec DLP, Netskope) that scan or annotate ADS content for data classification purposes, creating custom-named streams on sensitive files as part of normal policy enforcement
- Legitimate IT PowerShell automation referencing Get-Item on absolute paths where the colon in drive letters (C:\, D:\) incorrectly matches the generic ADS path filter — mitigated by the drive-letter exclusion regex in the last branch
Other platforms for T1564.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Hide Payload in NTFS Alternate Data Stream
Expected signal: Sysmon Event ID 15 (FileStream Created): TargetFilename=legitimate.txt:hidden_payload.exe in Temp directory. Sysmon Event ID 1 for cmd.exe creating the stream. 'dir /r' reveals the ADS in its output.
- Test 2Execute Script from Alternate Data Stream
Expected signal: Sysmon Event ID 15: ADS creation for readme.txt:evil.vbs. Sysmon Event ID 1: wscript.exe with ADS path in command line. Security Event ID 4688 for wscript.exe.
- Test 3PowerShell ADS Manipulation
Expected signal: Sysmon Event ID 15: ADS creation for normal.txt:hidden_data. Sysmon Event ID 1: powershell.exe with Set-Content and ADS path in command line. PowerShell ScriptBlock Log Event ID 4104.
References (5)
- https://attack.mitre.org/techniques/T1564/004/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md
- https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
- https://www.sans.org/blog/alternate-data-streams-overview/
- https://docs.microsoft.com/en-us/sysinternals/downloads/streams
Unlock Pro Content
Get the full detection package for T1564.004 including response playbook, investigation guide, and atomic red team tests.