T1564.004 Elastic Security · Elastic

Detect NTFS File Attributes in Elastic Security

Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every NTFS partition contains a Master File Table (MFT) with records for every file/directory. Files in the MFT can contain multiple data streams — the primary :$DATA stream and additional Alternate Data Streams (ADS). Adversaries use ADS to hide payloads (e.g., storing malware in 'legitimate.txt:hidden_payload.exe') since standard Windows tools don't show ADS content. The Regin rootkit, APT32, Valak, and LoJax have all used NTFS ADS for payload storage and evasion.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1564 Hide Artifacts
Sub-technique
T1564.004 NTFS File Attributes
Canonical reference
https://attack.mitre.org/techniques/T1564/004/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where
  (
    /* Sysmon EventCode 15 - FileCreateStreamHash: non-standard ADS stream written to disk */
    event.code == "15" and
    file.path : "*:*" and
    not file.path : "*:Zone.Identifier*"
  ) or
  (
    /* Process creation events with ADS manipulation patterns */
    event.category : "process" and event.type : "start" and
    (
      /* PowerShell ADS read/write via built-in cmdlets */
      (process.name : ("powershell.exe", "pwsh.exe") and
       process.command_line : ("*Get-Item*:*", "*Set-Content*:*", "*Add-Content*:*", "*Get-Content*:*") and
       not process.command_line : "*Zone.Identifier*") or
      /* cmd.exe echo redirect to ADS: echo payload > legit.txt:hidden.exe */
      (process.name : "cmd.exe" and
       process.command_line : ("*echo*:*.*", "*> *:*.*") and
       not process.command_line : "*Zone.Identifier*") or
      /* Sysinternals Streams utility for ADS enumeration */
      process.name : ("streams.exe", "streams64.exe") or
      /* Generic /ads or -ads flags used by ADS-aware tools */
      (process.command_line : ("*/ads*", "*-ads*") and
       not process.command_line : "*Zone.Identifier*")
    )
  )
high severity high confidence

Detects NTFS Alternate Data Stream (ADS) abuse via Sysmon FileCreateStreamHash events (EventCode 15) and process creation events targeting ADS manipulation. Covers PowerShell ADS cmdlets (Get-Item, Set-Content, Add-Content), cmd.exe echo-to-ADS redirects, and Sysinternals Streams utility usage. Excludes legitimate Zone.Identifier streams written by browsers and Windows Attachment Manager. Targets techniques used by Regin, APT32, Valak, and LoJax for payload hiding in NTFS streams.

Data Sources

Elastic Endpoint SecurityWinlogbeat with SysmonElastic Agent (Windows integration)

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.file-*winlogbeat-*

False Positives & Tuning

  • Sysinternals Streams.exe used legitimately by IT administrators and incident responders to audit or remove ADS from corporate file servers and endpoints during maintenance or forensic activities
  • PowerShell automation scripts referencing drive letter paths (e.g., 'C:\path\file') or UNC paths that contain colons and inadvertently match ADS detection patterns in the command line
  • Backup and archival software such as Robocopy with /COPYALL or enterprise backup agents (Veeam, Commvault) that preserve and restore ADS metadata, triggering FileCreateStreamHash events with custom stream names
  • Security scanning tools and DLP agents that enumerate or inspect ADS content as part of endpoint compliance checks, generating both process and file events matching these patterns
  • Visual Studio, MSBuild, and other developer toolchains that may use NTFS streams for build artifact tracking or project metadata on developer workstations
Download portable Sigma rule (.yml)

Other platforms for T1564.004

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Hide Payload in NTFS Alternate Data Stream

    Expected signal: Sysmon Event ID 15 (FileStream Created): TargetFilename=legitimate.txt:hidden_payload.exe in Temp directory. Sysmon Event ID 1 for cmd.exe creating the stream. 'dir /r' reveals the ADS in its output.

  2. Test 2Execute Script from Alternate Data Stream

    Expected signal: Sysmon Event ID 15: ADS creation for readme.txt:evil.vbs. Sysmon Event ID 1: wscript.exe with ADS path in command line. Security Event ID 4688 for wscript.exe.

  3. Test 3PowerShell ADS Manipulation

    Expected signal: Sysmon Event ID 15: ADS creation for normal.txt:hidden_data. Sysmon Event ID 1: powershell.exe with Set-Content and ADS path in command line. PowerShell ScriptBlock Log Event ID 4104.

Last updated: 2026-04-21 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1564.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1564Hide Artifacts

Related Sub-techniques

T1564.001Hidden Files and DirectoriesT1564.002Hidden UsersT1564.003Hidden WindowT1564.005Hidden File SystemT1564.006Run Virtual InstanceT1564.007VBA StompingT1564.008Email Hiding RulesT1564.009Resource ForkingT1564.010Process Argument SpoofingT1564.011Ignore Process InterruptsT1564.012File/Path ExclusionsT1564.013Bind MountsT1564.014Extended Attributes

Related Techniques

T1564Hide ArtifactsT1027Obfuscated Files or InformationT1564.001Hidden Files and DirectoriesT1553.003SIP and Trust Provider HijackingT1070.004File Deletion

Same Tactic: Defense Evasion

Popular Detections