Query Details

Rule Documentation: Defense Evasion - Root Directory ADS Creation (Windows)

ADS Root Process Creation

Query

DeviceProcessEvents
| where ProcessCommandLine matches regex @"(?i)^[A-Z]:\\:.+"

About this query

Rule Documentation: Defense Evasion - Root Directory ADS Creation (Windows)

Description

Detects attempts to create Alternate Data Streams (ADS) in root directories of Windows drives. https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/ https://github.com/elastic/detection-rules/blob/6150f222b2ce2a26e0874e96ab31479b1e4283a4/rules/windows/defense_evasion_root_dir_ads_creation.toml

Detection Logic

  • Filters DeviceProcessEvents for events related
  • Specifically looks for events where the ProcessCommandLine matches of ADS process

Tags

  • Defense Evasion

Search Query

Explanation

This query looks for attempts to create Alternate Data Streams (ADS) in the root directories of Windows drives by filtering DeviceProcessEvents for events related to ADS processes.

Details

Ali Hussein profile picture

Ali Hussein

Released: May 16, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsProcessCommandLineADSWindows

Operators

wherematchesregex

Actions

GitHub