SigmaHQ/rules/windows/sysmon/sysmon_ads_executable.yml

title: Executable in ADS
status: experimental
description: Detects the creation of an ADS data stream that contains an executable (non-empty imphash)
references:
    - https://twitter.com/0xrawsec/status/1002478725605273600?s=21
tags:
    - attack.defense_evasion
    - attack.t1027
    - attack.s0139
author: Florian Roth, @0xrawsec
date: 2018/06/03
logsource:
    product: windows
    service: sysmon
    definition: 'Requirements: Sysmon config with Imphash logging activated'
detection:
    selection:
        EventID: 15
    filter:
        Imphash: '00000000000000000000000000000000'
    condition: selection and not filter
fields:
    - TargetFilename
    - Image
falsepositives:
    - unknown
level: critical
Rule: ADS with executable https://twitter.com/0xrawsec/status/1002478725605273600 2018-06-03 00:08:39 +00:00			`title: Executable in ADS`
			`status: experimental`
			`description: Detects the creation of an ADS data stream that contains an executable (non-empty imphash)`
			`references:`
			`- https://twitter.com/0xrawsec/status/1002478725605273600?s=21`
Further ATT&CK tagging 2018-07-19 21:36:13 +00:00			`tags:`
			`- attack.defense_evasion`
			`- attack.t1027`
			`- attack.s0139`
Rule: ADS with executable https://twitter.com/0xrawsec/status/1002478725605273600 2018-06-03 00:08:39 +00:00			`author: Florian Roth, @0xrawsec`
			`date: 2018/06/03`
			`logsource:`
			`product: windows`
			`service: sysmon`
Replace "logsource: description" with "definition" to match the specs 2018-11-15 06:00:06 +00:00			`definition: 'Requirements: Sysmon config with Imphash logging activated'`
Rule: ADS with executable https://twitter.com/0xrawsec/status/1002478725605273600 2018-06-03 00:08:39 +00:00			`detection:`
			`selection:`
			`EventID: 15`
			`filter:`
			`Imphash: '00000000000000000000000000000000'`
			`condition: selection and not filter`
			`fields:`
			`- TargetFilename`
			`- Image`
			`falsepositives:`
			`- unknown`
			`level: critical`