KQL Search

Query Details

MDE NTFS File Attributes Alternate Data Streams

Query

# NTFS File Attributes - alternate data streams

## Query Information

### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1564.004 | Defemse Evasion:Hide Artifacts: NTFS File Attributes | https://attack.mitre.org/techniques/T1564/004/ |

### Description

Use the below queries to identify alternate data streams

#### References

- [Sneaky Tip and Tricks with Alternate Data Streams](https://www.sans.org/presentations/sneaky-tip-and-tricks-with-alternate-data-streams/)
- [Malicious and Steganographic Potential in NTFS Alternate Data Streams](https://www.giac.org/paper/gsec/3075/malicious-steganographic-potential-ntfs-alternate-data-streams/105112)

### Microsoft 365 Defender

```kql
DeviceAlertEvents
| where Title contains "Process execution from an alternate data stream (ADS)"
```

```kql
DeviceProcessEvents
| where FileName   contains ":"
// | invoke FileProfile(SHA256,100) 
```

Explanation

The query is used to identify alternate data streams in NTFS file attributes. It looks for process execution from an alternate data stream in the DeviceAlertEvents table and searches for file names that contain a colon in the DeviceProcessEvents table.

Details

Alex Verboon

Released: June 4, 2023

Tables

DeviceAlertEventsDeviceProcessEvents

Keywords

Devices,Intune,User

Operators

|wherecontains|invoke

KQL Search

MDE NTFS File Attributes Alternate Data Streams

Query

Explanation

Details

Actions