Create powershell_NTFS_Alternate_Data_Streams

rules/windows/powershell/powershell_NTFS_Alternate_Data_Streams

@@ -0,0 +1,21 @@
+title: NTFS Alternate Data Stream
+status: experimental
+description: Detects writing data into NTFS alternate data streams from powershell
+references:
+    - http://www.powertheshell.com/ntfsstreams/
+tags:
+    - attack.defense_Evasion
+    - attack.t1096
+author: Sami Ruohone (rule)
+logsource:
+    product: windows
+    service: powershell
+    description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
+detection:
+    keywords:
+        - set-content
+          stream
+    condition: keywords
+falsepositives:
+    - unknown
+level: high