Skip to content

DET0432 Detection Strategy for NTFS File Attribute Abuse (ADS/EAs)

Item Value
ID DET0432
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1564.004 (NTFS File Attributes)

Analytics

Windows

AN1206

Suspicious use of NTFS file attributes such as Alternate Data Streams (ADS) or Extended Attributes (EA) to hide data. Defender perspective: anomalous file creations or modifications containing colon syntax (file.ext:ads), API calls like ZwSetEaFile/ZwQueryEaFile, or PowerShell/Windows utilities interacting with -stream parameters. Correlation across file metadata anomalies, process lineage, and command execution provides context.

Log Sources
Data Component Name Channel
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
File Metadata (DC0059) WinEventLog:Sysmon EventCode=15
OS API Execution (DC0021) etw:Microsoft-Windows-Kernel-File ZwSetEaFile or ZwQueryEaFile function calls
Mutable Elements
Field Description
ADSPathWhitelist Exclude legitimate ADS usage by system or AV tools.
ProcessScope Restrict monitoring to suspicious parent processes (e.g., powershell.exe, cmd.exe, wscript.exe).
TimeWindow Correlate ADS creation with subsequent process execution to strengthen malicious context.