Unusual File Creation - Alternate Data Streamedit

Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100


  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Defense Evasion

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule queryedit

file where event.type == "creation" and file.path : "C:\\*:*" and
not file.path : "C:\\*:zone.identifier*" and file.extension : (
"pdf", "dll", "png", "exe", "dat",
"com", "bat", "cmd", "sys", "vbs",
"ps1", "hta", "txt", "vbe", "js", "wsh",
"docx", "doc", "xlsx", "xls", "pptx",
"ppt", "rtf", "gif", "jpg", "png",
"bmp", "img", "iso" )

Threat mappingedit