KQL Search

Query Details

ADS Root Process Creation

Query

# Rule Documentation: Defense Evasion - Root Directory ADS Creation (Windows)

## Description
Detects attempts to create Alternate Data Streams (ADS) in root directories of Windows drives.
https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/
https://github.com/elastic/detection-rules/blob/6150f222b2ce2a26e0874e96ab31479b1e4283a4/rules/windows/defense_evasion_root_dir_ads_creation.toml

## Detection Logic
- Filters `DeviceProcessEvents` for events related
- Specifically looks for events where the ProcessCommandLine matches of ADS process 

## Tags
- Defense Evasion

## Search Query
```kql
DeviceProcessEvents
| where ProcessCommandLine matches regex @"(?i)^[A-Z]:\\:.+"

Explanation

This query looks for attempts to create Alternate Data Streams (ADS) in the root directories of Windows drives by filtering DeviceProcessEvents for events related to ADS processes.

Details

Ali Hussein

Released: May 16, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessEvents,ProcessCommandLine,ADS,Windows

Operators

wherematchesregex

KQL Search

ADS Root Process Creation

Query

Explanation

Details

Actions