Unusual File Creation - Alternate Data Streamedit

Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100


  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Defense Evasion

Version: 2 (version history)

Added (Elastic Stack release): 7.12.0

Last modified (Elastic Stack release): 8.2.0

Rule authors: Elastic

Rule license: Elastic License v2

Investigation guideedit

## Config

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.

Rule queryedit

file where event.type == "creation" and file.path : "C:\\*:*" and
not file.path : "C:\\*:zone.identifier*" and file.extension : (
"pdf", "dll", "png", "exe", "dat",
"com", "bat", "cmd", "sys", "vbs",
"ps1", "hta", "txt", "vbe", "js", "wsh",
"docx", "doc", "xlsx", "xls", "pptx",
"ppt", "rtf", "gif", "jpg", "png",
"bmp", "img", "iso" )

Threat mappingedit


Rule version historyedit

Version 2 (8.2.0 release)
  • Formatting only