Detect NTFS File Attributes in Sumo Logic CSE
Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every NTFS partition contains a Master File Table (MFT) with records for every file/directory. Files in the MFT can contain multiple data streams — the primary :$DATA stream and additional Alternate Data Streams (ADS). Adversaries use ADS to hide payloads (e.g., storing malware in 'legitimate.txt:hidden_payload.exe') since standard Windows tools don't show ADS content. The Regin rootkit, APT32, Valak, and LoJax have all used NTFS ADS for payload storage and evasion.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1564 Hide Artifacts
- Sub-technique
- T1564.004 NTFS File Attributes
- Canonical reference
- https://attack.mitre.org/techniques/T1564/004/
Sumo Detection Query
(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*winlogbeat*)
(EventCode=15 OR EventCode=1)
| parse regex "EventCode(?:Id)?[=: ]+(?P<EventCode>\\d+)" nodrop
| parse regex "Image[=: ]+(?P<Image>[^\r\n]+)" nodrop
| parse regex "CommandLine[=: ]+(?P<CommandLine>[^\r\n]+)" nodrop
| parse regex "TargetFilename[=: ]+(?P<TargetFilename>[^\r\n]+)" nodrop
| parse regex "User(?:Name)?[=: ]+(?P<User>[^\r\n]+)" nodrop
| parse regex "Computer(?:Name)?[=: ]+(?P<Computer>[^\r\n]+)" nodrop
| parse regex "Hashes[=: ]+(?P<Hashes>[^\r\n]+)" nodrop
| parse regex "ParentImage[=: ]+(?P<ParentImage>[^\r\n]+)" nodrop
| where (
/* Sysmon Event 15: ADS file stream hash — non-Zone.Identifier stream written */
(EventCode = "15"
AND TargetFilename matches /:[a-zA-Z0-9_\-]+\.[a-zA-Z0-9]+$/
AND !(TargetFilename matches /:Zone\.Identifier/))
OR
/* Sysmon Event 1: Process creation with ADS manipulation */
(EventCode = "1"
AND (
Image matches /(?i)(streams|streams64)\.exe$/
OR CommandLine matches /(?i)\/ads/
OR (
Image matches /(?i)(powershell|pwsh)\.exe$/
AND (
CommandLine matches "Get-Item"
OR CommandLine matches "Set-Content"
OR CommandLine matches "Add-Content"
)
AND CommandLine contains ":"
AND !(CommandLine matches /:Zone\.Identifier/)
)
OR (
Image matches /(?i)cmd\.exe$/
AND CommandLine matches /echo.+>.*:[a-zA-Z0-9_]+\.[a-zA-Z0-9]+/
)
))
)
| eval DetectionType = if(EventCode = "15", "ADS_FileStream_Created",
if(Image matches /(?i)(streams|streams64)\.exe$/, "ADS_StreamsUtility",
if(Image matches /(?i)(powershell|pwsh)\.exe$/, "ADS_PowerShell",
"ADS_CmdRedirect")))
| fields _time, Computer, User, TargetFilename, CommandLine, Image, ParentImage, EventCode, DetectionType, Hashes
| sort by _time descDetects NTFS Alternate Data Stream manipulation in Sumo Logic by searching Sysmon logs for EventCode 15 (FileCreateStreamHash) where the target filename contains a non-Zone.Identifier stream extension, and EventCode 1 (Process Create) events matching PowerShell ADS cmdlets, cmd.exe echo-to-ADS redirects, and Sysinternals Streams utility execution. Classifies detections by type (FileStream, PowerShell, StreamsUtil, CmdRedirect) using an eval field for analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- Security endpoint agents (CrowdStrike, Carbon Black, Defender) that enumerate or interact with NTFS ADS during real-time scanning may generate EventCode 15 events with custom stream names on scanned files
- Sysinternals Streams.exe legitimately run by IT security teams for ADS enumeration or cleanup operations on file servers or during incident response investigations
- PowerShell DSC (Desired State Configuration) or configuration management scripts that use Set-Content or Add-Content with colon-containing path expressions for system provisioning tasks
Other platforms for T1564.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Hide Payload in NTFS Alternate Data Stream
Expected signal: Sysmon Event ID 15 (FileStream Created): TargetFilename=legitimate.txt:hidden_payload.exe in Temp directory. Sysmon Event ID 1 for cmd.exe creating the stream. 'dir /r' reveals the ADS in its output.
- Test 2Execute Script from Alternate Data Stream
Expected signal: Sysmon Event ID 15: ADS creation for readme.txt:evil.vbs. Sysmon Event ID 1: wscript.exe with ADS path in command line. Security Event ID 4688 for wscript.exe.
- Test 3PowerShell ADS Manipulation
Expected signal: Sysmon Event ID 15: ADS creation for normal.txt:hidden_data. Sysmon Event ID 1: powershell.exe with Set-Content and ADS path in command line. PowerShell ScriptBlock Log Event ID 4104.
References (5)
- https://attack.mitre.org/techniques/T1564/004/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md
- https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
- https://www.sans.org/blog/alternate-data-streams-overview/
- https://docs.microsoft.com/en-us/sysinternals/downloads/streams
Unlock Pro Content
Get the full detection package for T1564.004 including response playbook, investigation guide, and atomic red team tests.