Suspicious use of NTFS file attributes such as Alternate Data Streams (ADS) or Extended Attributes (EA) to hide data. Defender perspective: anomalous file creations or modifications containing colon syntax (file.ext:ads), API calls like ZwSetEaFile/ZwQueryEaFile, or PowerShell/Windows utilities interacting with -stream parameters. Correlation across file metadata anomalies, process lineage, and command execution provides context.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| File Metadata (DC0059) | WinEventLog:Sysmon | EventCode=15 |
| OS API Execution (DC0021) | etw:Microsoft-Windows-Kernel-File | ZwSetEaFile or ZwQueryEaFile function calls |
| Field | Description |
|---|---|
| ADSPathWhitelist | Exclude legitimate ADS usage by system or AV tools. |
| ProcessScope | Restrict monitoring to suspicious parent processes (e.g., powershell.exe, cmd.exe, wscript.exe). |
| TimeWindow | Correlate ADS creation with subsequent process execution to strengthen malicious context. |