Detect NTFS File Attributes in Splunk
Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every NTFS partition contains a Master File Table (MFT) with records for every file/directory. Files in the MFT can contain multiple data streams — the primary :$DATA stream and additional Alternate Data Streams (ADS). Adversaries use ADS to hide payloads (e.g., storing malware in 'legitimate.txt:hidden_payload.exe') since standard Windows tools don't show ADS content. The Regin rootkit, APT32, Valak, and LoJax have all used NTFS ADS for payload storage and evasion.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1564 Hide Artifacts
- Sub-technique
- T1564.004 NTFS File Attributes
- Canonical reference
- https://attack.mitre.org/techniques/T1564/004/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=15
| eval SuspiciousADS=if(match(TargetFilename, ":[a-zA-Z0-9]+\.[a-zA-Z0-9]+$") AND NOT match(TargetFilename, ":Zone.Identifier"), 1, 0)
| where SuspiciousADS=1
| table _time, host, User, TargetFilename, Hash, Image
| sort - _time
union
[search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\powershell.exe" OR Image="*\\cmd.exe")
(CommandLine="*:\\*" AND (CommandLine="*Get-Item*" OR CommandLine="*Set-Content*" OR CommandLine="*Add-Content*"))
| eval ADSPowerShell=1
| table _time, host, User, Image, CommandLine, ADSPowerShell]Detects NTFS ADS creation using Sysmon Event ID 15 (FileStream Created) which specifically logs alternate data stream creation events. Also catches PowerShell ADS manipulation via process creation events. Zone.Identifier is excluded as it is a benign Windows Mark of the Web mechanism.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Zone.Identifier ADS automatically added on internet-downloaded files (excluded in query)
- Software using ADS for metadata or licensing storage
- Security and forensic tools reading/writing ADS for analysis
- macOS compatibility ADS usage on NTFS volumes
Other platforms for T1564.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Hide Payload in NTFS Alternate Data Stream
Expected signal: Sysmon Event ID 15 (FileStream Created): TargetFilename=legitimate.txt:hidden_payload.exe in Temp directory. Sysmon Event ID 1 for cmd.exe creating the stream. 'dir /r' reveals the ADS in its output.
- Test 2Execute Script from Alternate Data Stream
Expected signal: Sysmon Event ID 15: ADS creation for readme.txt:evil.vbs. Sysmon Event ID 1: wscript.exe with ADS path in command line. Security Event ID 4688 for wscript.exe.
- Test 3PowerShell ADS Manipulation
Expected signal: Sysmon Event ID 15: ADS creation for normal.txt:hidden_data. Sysmon Event ID 1: powershell.exe with Set-Content and ADS path in command line. PowerShell ScriptBlock Log Event ID 4104.
References (5)
- https://attack.mitre.org/techniques/T1564/004/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md
- https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
- https://www.sans.org/blog/alternate-data-streams-overview/
- https://docs.microsoft.com/en-us/sysinternals/downloads/streams
Unlock Pro Content
Get the full detection package for T1564.004 including response playbook, investigation guide, and atomic red team tests.