Adversaries may use the NTFS INDEX_ALLOCATION stream to create hidden directories, evading standard file system visibility. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential persistence or data exfiltration tactics leveraging hidden file system structures.
Detection Rule
title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
id: a8f866e1-bdd4-425e-a27a-37619238d9c7
related:
- id: 0900463c-b33b-49a8-be1d-552a3b553dae
type: similar
status: test
description: |
Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"
references:
- https://twitter.com/pfiatde/status/1681977680688738305
- https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/
- https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/
- https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
author: Scoubi (@ScoubiMtl)
date: 2023-10-09
tags:
- attack.defense-evasion
- attack.t1564.004
logsource:
product: windows
category: file_event
detection:
selection:
# Note: Both Sysmon and ETW are unable to log the presence of such streams in the CommandLine. But EDRs such as Crowdstrike are able to use e.g. CMD console history. Users are advised to test this before usage
TargetFilename|contains: '::$index_allocation'
condition: selection
falsepositives:
- Unlikely
level: medium
imFileEvent
| where TargetFileName contains "::$index_allocation"Scenario: System Restore Point Creation
Description: When the system creates a restore point, it may generate hidden directories or files in the System Volume Information folder, which uses the NTFS INDEX_ALLOCATION stream.
Filter/Exclusion: Exclude events where the file path contains System Volume Information or where the process is svhost.exe or services.exe.
Scenario: Scheduled Backup Job Using VSS (Volume Shadow Copy Service)
Description: Backup tools like Veeam, Acronis, or Microsoft Backup may create temporary hidden directories or use the INDEX_ALLOCATION stream during snapshot creation.
Filter/Exclusion: Exclude events where the file path includes VolumeSnapshots or where the process is vssserver.exe or wbemcons.exe.
Scenario: Windows Update or Patching Task
Description: Windows Update or third-party patching tools (e.g., WSUS, SCCM) may create temporary hidden directories during installation or rollback processes.
Filter/Exclusion: Exclude events where the file path contains WindowsUpdate or where the process is wuauclt.exe or msiexec.exe.
Scenario: Admin Task for File System Integrity Check (e.g., chkdsk)
Description: Running chkdsk or similar tools may temporarily create hidden directories or use the INDEX_ALLOCATION stream during disk scan operations.
Filter/Exclusion: Exclude events where the file path includes chkdsk or where the process is cmd.exe with the chkdsk command line argument.
Scenario: User-Initiated File System Repair or Disk Cleanup
Description: Users or administrators may run tools like Disk Cleanup, Defragmenter, or sfc /scannow that temporarily create hidden