Query Details
AD Sroot Directory File Creation
Query
# Rule Documentation: Defense Evasion - Root Directory ADS Creation (Windows) ## Description Detects attempts to create Alternate Data Streams (ADS) in root directories of Windows drives. https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/ https://github.com/elastic/detection-rules/blob/6150f222b2ce2a26e0874e96ab31479b1e4283a4/rules/windows/defense_evasion_root_dir_ads_creation.toml ## Detection Logic - Filters `DeviceFileEvents` for events related to file creation. - Specifically looks for events where the folder path matches the pattern of a root directory on a Windows drive and contains a colon (`:`) followed by a dollar sign (`$`) to indicate an ADS creation attempt. ## Tags - Defense Evasion ## Search Query ```kql DeviceFileEvents | where ActionType == "FileCreated" | where FolderPath matches regex @"(?i)^[A-Z]:\\:.+"
Explanation
This query detects attempts to create Alternate Data Streams (ADS) in root directories of Windows drives by filtering file creation events and looking for folder paths with a colon and dollar sign.
Details
Ali Hussein
Released: May 16, 2024
Tables
DeviceFileEvents
Keywords
DeviceFileEvents,ActionType,FileCreated,FolderPath,matches,regex,A-Z,colon,dollar,ADS,Creation,Windows,Drive
Operators
where FolderPath contains ":$"