title: Executable in ADS
ruletype: Sigma
author: Florian Roth, @0xrawsec
date: 2018/06/03
description: Detects the creation of an ADS data stream that contains an executable
  (non-empty imphash)
detection:
  SELECTION_1:
    EventID: 15
  SELECTION_2:
    Hashes: '*IMPHASH=*'
  SELECTION_3:
    Hashes: '*IMPHASH=00000000000000000000000000000000*'
  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
falsepositives:
- unknown
fields:
- TargetFilename
- Image
id: b69888d4-380c-45ce-9cf9-d9ce46e67821
level: critical
logsource:
  category: create_stream_hash
  definition: 'Requirements: Sysmon config with Imphash logging activated'
  product: windows
modified: 2021/12/08
references:
- https://twitter.com/0xrawsec/status/1002478725605273600?s=21
status: test
tags:
- attack.defense_evasion
- attack.t1027
- attack.s0139
- attack.t1564.004