Adversaries may use alternate data streams to exfiltrate data or persist within Windows systems undetected. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential ransomware or data exfiltration activities that evade traditional detection methods.
KQL Query
// Alternate Data Streams execution
DeviceProcessEvents
| where Timestamp > ago(7d)
// Command lines used
| where ProcessCommandLine startswith "-q -s" and ProcessCommandLine hasprefix "-p"
// Removing IDE processes
and not(FolderPath has_any("visual studio", "ide"))
| summarize make_set(ProcessCommandLine), make_set(FolderPath),
make_set(InitiatingProcessCommandLine) by DeviceId, bin(Timestamp, 1h)
id: 7d8692e0-e643-43cb-ac77-6efc5a6b7f4d
name: alt-data-streams
description: |
This query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog.
In April of 2020, security researchers observed multiple ransomware campaigns using the same set of techniques.
The following query detects suspicious use of Alternate Data Streams (ADS), which may indicate an attempt to mask malicious activity. These campaigns have been known to deploy ransomware in-memory and exploit ADS.
The See also section below lists more queries related to techniques shared by these campaigns.
References:
https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/
https://docs.microsoft.com/sysinternals/downloads/streams
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Defense evasion
query: |
// Alternate Data Streams execution
DeviceProcessEvents
| where Timestamp > ago(7d)
// Command lines used
| where ProcessCommandLine startswith "-q -s" and ProcessCommandLine hasprefix "-p"
// Removing IDE processes
and not(FolderPath has_any("visual studio", "ide"))
| summarize make_set(ProcessCommandLine), make_set(FolderPath),
make_set(InitiatingProcessCommandLine) by DeviceId, bin(Timestamp, 1h)
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to manipulate Alternate Data Streams (ADS) for forensic purposes or to store metadata with files.
Filter/Exclusion: Exclude processes initiated by the PowerShell executable with the -Command parameter containing Get-ItemProperty or Set-ItemProperty commands related to ADS manipulation.
Scenario: A scheduled backup job using Veeam Backup & Replication or Commvault is creating or modifying files with ADS to store additional metadata (e.g., versioning or timestamps).
Filter/Exclusion: Exclude processes with the Veeam or Commvault service names, or filter by the backup or snapshot job names in the process command line.
Scenario: A Windows Update or Group Policy deployment is using Robocopy or Xcopy to copy files, which may inadvertently create ADS due to file system behavior.
Filter/Exclusion: Exclude processes with Robocopy.exe or Xcopy.exe in the command line, or filter by the Windows Update or Group Policy service names.
Scenario: A system integrity check using Sysinternals tools like Process Monitor (ProcMon) or Process Explorer is interacting with ADS to inspect file metadata.
Filter/Exclusion: Exclude processes with ProcMon.exe, ProcessExplorer.exe, or ProcessMonitor.exe in the process name or command line.
Scenario: A log management tool such as Splunk or ELK Stack is using PowerShell or cmd.exe to write logs to files with ADS to store additional context or timestamps.
Filter/Exclusion: Exclude processes with Splunk or ELK related command lines, or filter by the