Skip to content

Commit

Permalink
Merge pull request #850 from nterl0k/nterl0k-T1564.004-ads-abuse
Browse files Browse the repository at this point in the history
Nterl0k - T1564.004 NTFS Alternate Data Streams abuse
  • Loading branch information
patel-bhavin authored Dec 11, 2023
2 parents 90ebcb7 + ac6d634 commit e562b46
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 0 deletions.
16 changes: 16 additions & 0 deletions datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
author: Steven Dick
id: e18714c0-ab84-44f6-9117-5531e3eb3a0c
date: '2023-10-30'
description: 'Detection of common behaviors used to abouse NTFS alternate datastreams.'
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse_sysmon.log
sourcetypes:
- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
- WinEventLog:Security
references:
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
- https://car.mitre.org/analytics/CAR-2020-08-001/
- https://blogs.juniper.net/en-us/threat-research/bitpaymer-ransomware-hides-behind-windows-alternate-data-streams
- https://blog.netwrix.com/2022/12/16/alternate_data_stream/
- https://twitter.com/0xrawsec/status/1002478725605273600?s=21
Git LFS file not shown

0 comments on commit e562b46

Please sign in to comment.