title: Executable in ADS
author: Florian Roth, @0xrawsec
date: 2018/06/03
description: Detects the creation of an ADS data stream that contains an executable
  (non-empty imphash)
detection:
  SELECTION_1:
    EventID: 15
  SELECTION_2:
    Imphash: '00000000000000000000000000000000'
  SELECTION_3:
    Imphash|re: ^$
  condition: (SELECTION_1 and  not ((SELECTION_2) or (SELECTION_3)))
falsepositives:
- unknown
fields:
- TargetFilename
- Image
id: b69888d4-380c-45ce-9cf9-d9ce46e67821
level: critical
logsource:
  category: create_stream_hash
  definition: 'Requirements: Sysmon config with Imphash logging activated'
  product: windows
modified: 2020/08/26
references:
- https://twitter.com/0xrawsec/status/1002478725605273600?s=21
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.s0139
- attack.t1564.004
ruletype: SIGMA