Rule Documentation: Defense Evasion - Root Directory ADS Creation (Windows)
ADS Root Process Creation
Query
DeviceProcessEvents
| where ProcessCommandLine matches regex @"(?i)^[A-Z]:\\:.+"About this query
Rule Documentation: Defense Evasion - Root Directory ADS Creation (Windows)
Description
Detects attempts to create Alternate Data Streams (ADS) in root directories of Windows drives. https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/ https://github.com/elastic/detection-rules/blob/6150f222b2ce2a26e0874e96ab31479b1e4283a4/rules/windows/defense_evasion_root_dir_ads_creation.toml
Detection Logic
- Filters
DeviceProcessEventsfor events related - Specifically looks for events where the ProcessCommandLine matches of ADS process
Tags
- Defense Evasion
Search Query
Explanation
This query looks for attempts to create Alternate Data Streams (ADS) in the root directories of Windows drives by filtering DeviceProcessEvents for events related to ADS processes.
Details

Ali Hussein
Released: May 16, 2024
Tables
DeviceProcessEvents
Keywords
DeviceProcessEventsProcessCommandLineADSWindows
Operators
wherematchesregex