Detect NTFS File Attributes in IBM QRadar
Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every NTFS partition contains a Master File Table (MFT) with records for every file/directory. Files in the MFT can contain multiple data streams — the primary :$DATA stream and additional Alternate Data Streams (ADS). Adversaries use ADS to hide payloads (e.g., storing malware in 'legitimate.txt:hidden_payload.exe') since standard Windows tools don't show ADS content. The Regin rootkit, APT32, Valak, and LoJax have all used NTFS ADS for payload storage and evasion.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1564 Hide Artifacts
- Sub-technique
- T1564.004 NTFS File Attributes
- Canonical reference
- https://attack.mitre.org/techniques/T1564/004/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
sourceip AS source_ip,
username AS user_name,
QIDNAME(qid) AS event_name,
LOGSOURCENAME(logsourceid) AS log_source,
LOGSOURCETYPEID(logsourceid) AS log_source_type,
UTF8(payload) AS raw_event
FROM events
WHERE
starttime > (CURRENT_TIMESTAMP - 86400000)
AND LOGSOURCETYPEID IN (12, 13)
AND (
/* Sysmon EventCode 15: FileCreateStreamHash - ADS stream creation */
(
(QIDNAME(qid) ILIKE '%FileCreateStreamHash%'
OR QIDNAME(qid) ILIKE '%Sysmon%15%')
AND UTF8(payload) MATCHES '.*:[A-Za-z0-9_-]+\\.[A-Za-z0-9]+.*'
AND UTF8(payload) NOT ILIKE '%Zone.Identifier%'
)
OR
/* Sysmon EventCode 1 / Windows EventCode 4688: Process creation with ADS patterns */
(
(QIDNAME(qid) ILIKE '%Process Create%'
OR QIDNAME(qid) ILIKE '%ProcessCreate%'
OR QIDNAME(qid) ILIKE '%4688%')
AND (
/* PowerShell ADS cmdlets */
(UTF8(payload) ILIKE '%powershell.exe%'
AND (
UTF8(payload) ILIKE '%Get-Item%'
OR UTF8(payload) ILIKE '%Set-Content%'
OR UTF8(payload) ILIKE '%Add-Content%'
)
AND UTF8(payload) NOT ILIKE '%Zone.Identifier%'
AND UTF8(payload) LIKE '%:%')
/* Sysinternals Streams utility */
OR UTF8(payload) ILIKE '%streams.exe%'
OR UTF8(payload) ILIKE '%streams64.exe%'
/* ADS enumeration flags */
OR UTF8(payload) ILIKE '% /ads%'
OR UTF8(payload) ILIKE '% -ads%'
/* cmd.exe echo redirect to ADS */
OR UTF8(payload) MATCHES '.*echo.*>.*:[A-Za-z0-9_]+\\.[A-Za-z0-9]+.*'
)
)
)
ORDER BY starttime DESCDetects NTFS ADS abuse in QRadar by querying Windows Security and Sysmon log sources for FileCreateStreamHash events (Sysmon EventCode 15) where the target filename contains a colon-separated stream name other than Zone.Identifier, and process creation events (Sysmon EventCode 1 or Windows EventCode 4688) containing PowerShell ADS manipulation cmdlets, Sysinternals Streams utility, or cmd.exe echo-to-ADS redirect patterns. Uses UTF8(payload) raw log matching as Sysmon fields may not be fully normalized in all QRadar deployments.
Data Sources
Required Tables
False Positives & Tuning
- Zone.Identifier ADS streams automatically created by SmartScreen, web browsers, and Windows Attachment Manager on downloaded files are excluded from the FileCreateStreamHash branch but adjacent events may appear in context
- IT administrators using Sysinternals Streams.exe for ADS auditing on file servers, digital forensics investigations, or pre-incident response baseline enumeration tasks
- PowerShell scripts using Get-Item or Set-Content with drive letter paths (e.g., 'C:\Windows\...') or registry provider paths that contain colons as part of the path syntax rather than as ADS stream delimiters
Other platforms for T1564.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Hide Payload in NTFS Alternate Data Stream
Expected signal: Sysmon Event ID 15 (FileStream Created): TargetFilename=legitimate.txt:hidden_payload.exe in Temp directory. Sysmon Event ID 1 for cmd.exe creating the stream. 'dir /r' reveals the ADS in its output.
- Test 2Execute Script from Alternate Data Stream
Expected signal: Sysmon Event ID 15: ADS creation for readme.txt:evil.vbs. Sysmon Event ID 1: wscript.exe with ADS path in command line. Security Event ID 4688 for wscript.exe.
- Test 3PowerShell ADS Manipulation
Expected signal: Sysmon Event ID 15: ADS creation for normal.txt:hidden_data. Sysmon Event ID 1: powershell.exe with Set-Content and ADS path in command line. PowerShell ScriptBlock Log Event ID 4104.
References (5)
- https://attack.mitre.org/techniques/T1564/004/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md
- https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
- https://www.sans.org/blog/alternate-data-streams-overview/
- https://docs.microsoft.com/en-us/sysinternals/downloads/streams
Unlock Pro Content
Get the full detection package for T1564.004 including response playbook, investigation guide, and atomic red team tests.