T1564.004 Microsoft Sentinel · KQL

Detect NTFS File Attributes in Microsoft Sentinel

Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every NTFS partition contains a Master File Table (MFT) with records for every file/directory. Files in the MFT can contain multiple data streams — the primary :$DATA stream and additional Alternate Data Streams (ADS). Adversaries use ADS to hide payloads (e.g., storing malware in 'legitimate.txt:hidden_payload.exe') since standard Windows tools don't show ADS content. The Regin rootkit, APT32, Valak, and LoJax have all used NTFS ADS for payload storage and evasion.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1564 Hide Artifacts
Sub-technique
T1564.004 NTFS File Attributes
Canonical reference
https://attack.mitre.org/techniques/T1564/004/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine matches regex @":\w+\.\w+"
   or ProcessCommandLine has "streams" or ProcessCommandLine has "/ads"
   or (FileName =~ "powershell.exe" and ProcessCommandLine has "Get-Item" and ProcessCommandLine has "Stream")
   or (FileName =~ "powershell.exe" and ProcessCommandLine has "Add-Content" and ProcessCommandLine has ":")
| extend ADSWrite = ProcessCommandLine matches regex @"echo.+>.*:\w+"
| extend PowerShellADS = ProcessCommandLine has_any ("Get-Item", "Set-Content", "Add-Content") and ProcessCommandLine has ":"
| extend StreamsUtil = ProcessCommandLine has_any ("streams.exe", "streams64.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName,
         ADSWrite, PowerShellADS, StreamsUtil
| sort by Timestamp desc
union (
  DeviceFileEvents
  | where Timestamp > ago(24h)
  | where FileName contains ":"
  | where ActionType in ("FileCreated", "FileModified")
  | project Timestamp, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName, ActionType
  | sort by Timestamp desc
)
high severity medium confidence

Detects NTFS Alternate Data Stream (ADS) usage for payload hiding. Monitors for the colon notation in file paths (file.txt:hidden_data), PowerShell ADS manipulation cmdlets (Get-Item with Stream parameter, Set-Content with ADS path), and ADS-related utility usage. Also monitors for DeviceFileEvents with colon in filename indicating ADS creation.

Data Sources

File: File CreationFile: File ModificationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceFileEvents

False Positives & Tuning

  • Zone.Identifier ADS stream automatically added by Windows on files downloaded from the internet (Mark of the Web) — this is the most common legitimate ADS
  • Some legitimate software that uses ADS for storing metadata or licensing information
  • Security tools and forensic utilities that read or write ADS for analysis purposes
  • macOS compatibility layers that use resource forks stored as ADS streams on NTFS
Download portable Sigma rule (.yml)

Other platforms for T1564.004

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Hide Payload in NTFS Alternate Data Stream

    Expected signal: Sysmon Event ID 15 (FileStream Created): TargetFilename=legitimate.txt:hidden_payload.exe in Temp directory. Sysmon Event ID 1 for cmd.exe creating the stream. 'dir /r' reveals the ADS in its output.

  2. Test 2Execute Script from Alternate Data Stream

    Expected signal: Sysmon Event ID 15: ADS creation for readme.txt:evil.vbs. Sysmon Event ID 1: wscript.exe with ADS path in command line. Security Event ID 4688 for wscript.exe.

  3. Test 3PowerShell ADS Manipulation

    Expected signal: Sysmon Event ID 15: ADS creation for normal.txt:hidden_data. Sysmon Event ID 1: powershell.exe with Set-Content and ADS path in command line. PowerShell ScriptBlock Log Event ID 4104.

Last updated: 2026-04-21 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1564.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1564Hide Artifacts

Related Sub-techniques

T1564.001Hidden Files and DirectoriesT1564.002Hidden UsersT1564.003Hidden WindowT1564.005Hidden File SystemT1564.006Run Virtual InstanceT1564.007VBA StompingT1564.008Email Hiding RulesT1564.009Resource ForkingT1564.010Process Argument SpoofingT1564.011Ignore Process InterruptsT1564.012File/Path ExclusionsT1564.013Bind MountsT1564.014Extended Attributes

Related Techniques

T1564Hide ArtifactsT1027Obfuscated Files or InformationT1564.001Hidden Files and DirectoriesT1553.003SIP and Trust Provider HijackingT1070.004File Deletion

Same Tactic: Defense Evasion

Popular Detections