SigmaHQ/rules/windows/create_stream_hash/sysmon_ads_executable.yml

title: Executable in ADS
id: b69888d4-380c-45ce-9cf9-d9ce46e67821
status: experimental
description: Detects the creation of an ADS data stream that contains an executable (non-empty imphash)
references:
    - https://twitter.com/0xrawsec/status/1002478725605273600?s=21
tags:
    - attack.defense_evasion
    - attack.t1027          # an old one
    - attack.s0139
    - attack.t1564.004
author: Florian Roth, @0xrawsec
date: 2018/06/03
modified: 2020/08/26
logsource:
    product: windows
    category: create_stream_hash
    definition: 'Requirements: Sysmon config with Imphash logging activated'
detection:
    filter1:
        Imphash: '00000000000000000000000000000000'
    filter2:
        Imphash: null
    condition: not 1 of filter*
fields:
    - TargetFilename
    - Image
falsepositives:
    - unknown
level: critical
Rule: ADS with executable https://twitter.com/0xrawsec/status/1002478725605273600 2018-06-03 00:08:39 +00:00			`title: Executable in ADS`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: b69888d4-380c-45ce-9cf9-d9ce46e67821`
Rule: ADS with executable https://twitter.com/0xrawsec/status/1002478725605273600 2018-06-03 00:08:39 +00:00			`status: experimental`
			`description: Detects the creation of an ADS data stream that contains an executable (non-empty imphash)`
			`references:`
			`- https://twitter.com/0xrawsec/status/1002478725605273600?s=21`
Further ATT&CK tagging 2018-07-19 21:36:13 +00:00			`tags:`
			`- attack.defense_evasion`
review windows/sysmon 2020-08-29 00:03:28 +00:00			`- attack.t1027 # an old one`
Further ATT&CK tagging 2018-07-19 21:36:13 +00:00			`- attack.s0139`
review windows/sysmon 2020-08-29 00:03:28 +00:00			`- attack.t1564.004`
Rule: ADS with executable https://twitter.com/0xrawsec/status/1002478725605273600 2018-06-03 00:08:39 +00:00			`author: Florian Roth, @0xrawsec`
			`date: 2018/06/03`
review windows/sysmon 2020-08-29 00:03:28 +00:00			`modified: 2020/08/26`
Rule: ADS with executable https://twitter.com/0xrawsec/status/1002478725605273600 2018-06-03 00:08:39 +00:00			`logsource:`
			`product: windows`
- Fix for sysmon_ads_executable.yml 2020-10-02 08:54:15 +00:00			`category: create_stream_hash`
Replace "logsource: description" with "definition" to match the specs 2018-11-15 06:00:06 +00:00			`definition: 'Requirements: Sysmon config with Imphash logging activated'`
Rule: ADS with executable https://twitter.com/0xrawsec/status/1002478725605273600 2018-06-03 00:08:39 +00:00			`detection:`
Move null values out from list in rules 2020-05-05 07:04:47 +00:00			`filter1:`
			`Imphash: '00000000000000000000000000000000'`
			`filter2:`
			`Imphash: null`
- Created new categories for sysmon events - Replaced the explicit EventIDs with the reference to the category - Moved the rules to the corresponding directories 2020-09-30 18:44:14 +00:00			`condition: not 1 of filter*`
Rule: ADS with executable https://twitter.com/0xrawsec/status/1002478725605273600 2018-06-03 00:08:39 +00:00			`fields:`
			`- TargetFilename`
			`- Image`
			`falsepositives:`
			`- unknown`
			`level: critical`