T1564.004 CrowdStrike LogScale · LogScale

Detect NTFS File Attributes in CrowdStrike LogScale

Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every NTFS partition contains a Master File Table (MFT) with records for every file/directory. Files in the MFT can contain multiple data streams — the primary :$DATA stream and additional Alternate Data Streams (ADS). Adversaries use ADS to hide payloads (e.g., storing malware in 'legitimate.txt:hidden_payload.exe') since standard Windows tools don't show ADS content. The Regin rootkit, APT32, Valak, and LoJax have all used NTFS ADS for payload storage and evasion.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1564 Hide Artifacts
Sub-technique
T1564.004 NTFS File Attributes
Canonical reference
https://attack.mitre.org/techniques/T1564/004/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=ProcessRollup2
| (
    CommandLine = /:[a-zA-Z0-9_\-]+\.[a-zA-Z0-9]+/
    OR ImageFileName = /(?i)(streams|streams64)\.exe$/
    OR (
      ImageFileName = /(?i)(powershell|pwsh)\.exe$/
      AND CommandLine = /(?i)(Get-Item|Set-Content|Add-Content|Get-Content)/
      AND CommandLine = /:/
    )
    OR (
      ImageFileName = /(?i)cmd\.exe$/
      AND CommandLine = /echo.+>.*:[a-zA-Z0-9_]+\.[a-zA-Z0-9]+/
    )
  )
| CommandLine != /Zone\.Identifier/
| CommandLine != /(?i)^[a-zA-Z]:\\\\/
| case {
    ImageFileName = /(?i)(streams|streams64)\.exe$/ | ADSType := "StreamsUtility";
    ImageFileName = /(?i)(powershell|pwsh)\.exe$/ AND CommandLine = /(?i)(Get-Item|Set-Content|Add-Content)/ | ADSType := "PowerShellADS";
    ImageFileName = /(?i)cmd\.exe$/ AND CommandLine = /echo.+>.*:[a-zA-Z0-9_]+\.[a-zA-Z0-9]+/ | ADSType := "CmdEchoADS";
    * | ADSType := "ADSCommandPattern";
  }
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentImageFileName, ParentCommandLine, ADSType, UserSid], limit=1000)
| sort(@timestamp, order=desc)
high severity high confidence

Detects NTFS Alternate Data Stream (ADS) manipulation in CrowdStrike Falcon via LogScale CQL on ProcessRollup2 events. Identifies four distinct ADS abuse patterns: PowerShell ADS read/write cmdlets (Get-Item, Set-Content, Add-Content) with colon-stream paths, cmd.exe echo-to-ADS redirects, Sysinternals Streams utility execution, and generic command lines with ADS stream notation. Excludes Zone.Identifier streams and simple drive letter paths. Classifies each detection into an ADSType category for rapid analyst triage.

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2 events)Falcon Data Replicator (FDR) streaming to LogScale

Required Tables

ProcessRollup2

False Positives & Tuning

  • Zone.Identifier ADS streams created by SmartScreen and web browsers on all downloaded files are excluded by the CommandLine filter, but parent process context may still surface downloads in correlated queries
  • IT security teams running Sysinternals Streams.exe during forensic investigations, endpoint ADS audits, or incident response activities on compromised systems — correlate with parent process and user context to validate
  • PowerShell-based configuration management and DevOps tooling (Ansible WinRM tasks, Chef DSC resources, Puppet manifests) using Set-Content or Add-Content in scripts where the colon in Windows registry provider paths (HKLM:\) matches ADS pattern filters
Download portable Sigma rule (.yml)

Other platforms for T1564.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Hide Payload in NTFS Alternate Data Stream

    Expected signal: Sysmon Event ID 15 (FileStream Created): TargetFilename=legitimate.txt:hidden_payload.exe in Temp directory. Sysmon Event ID 1 for cmd.exe creating the stream. 'dir /r' reveals the ADS in its output.

  2. Test 2Execute Script from Alternate Data Stream

    Expected signal: Sysmon Event ID 15: ADS creation for readme.txt:evil.vbs. Sysmon Event ID 1: wscript.exe with ADS path in command line. Security Event ID 4688 for wscript.exe.

  3. Test 3PowerShell ADS Manipulation

    Expected signal: Sysmon Event ID 15: ADS creation for normal.txt:hidden_data. Sysmon Event ID 1: powershell.exe with Set-Content and ADS path in command line. PowerShell ScriptBlock Log Event ID 4104.

Last updated: 2026-04-21 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1564.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1564Hide Artifacts

Related Sub-techniques

T1564.001Hidden Files and DirectoriesT1564.002Hidden UsersT1564.003Hidden WindowT1564.005Hidden File SystemT1564.006Run Virtual InstanceT1564.007VBA StompingT1564.008Email Hiding RulesT1564.009Resource ForkingT1564.010Process Argument SpoofingT1564.011Ignore Process InterruptsT1564.012File/Path ExclusionsT1564.013Bind MountsT1564.014Extended Attributes

Related Techniques

T1564Hide ArtifactsT1027Obfuscated Files or InformationT1564.001Hidden Files and DirectoriesT1553.003SIP and Trust Provider HijackingT1070.004File Deletion

Same Tactic: Defense Evasion

Popular Detections