Adversaries may use Alternate Data Streams to hide malicious payloads and evade detection, indicating potential ransomware activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage ransomware attacks in healthcare environments.
KQL Query
DeviceProcessEvents
| where Timestamp > ago(7d)
// Command lines used
| where ProcessCommandLine startswith "-q -s" and ProcessCommandLine has "-p"
// Removing IDE processes
and not(FolderPath has_any("visual studio", "ide"))
| summarize make_set(ProcessCommandLine), make_set(FolderPath),
make_set(InitiatingProcessCommandLine) by DeviceId, bin(Timestamp, 1h)
id: 90985951-5998-45d3-831f-8fd3c66ac9f9
name: Ransomware hits healthcare - Alternate Data Streams use
description: |
Find use of Alternate Data Streams (ADS) for anti-forensic purposes.
Alternate Data Streams execution.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
query: |
DeviceProcessEvents
| where Timestamp > ago(7d)
// Command lines used
| where ProcessCommandLine startswith "-q -s" and ProcessCommandLine has "-p"
// Removing IDE processes
and not(FolderPath has_any("visual studio", "ide"))
| summarize make_set(ProcessCommandLine), make_set(FolderPath),
make_set(InitiatingProcessCommandLine) by DeviceId, bin(Timestamp, 1h)
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled backup job using ADS for storing metadata
Description: A backup tool (e.g., Veeam, Acronis) uses Alternate Data Streams to store metadata or version history for files.
Filter/Exclusion: Check for known backup tools in the process tree or file system metadata. Exclude files with known backup-related ADS names (e.g., ~$ or ._).
Scenario: Windows Admin Task using ADS for log storage
Description: An administrator uses ADS to store logs or temporary files in a shared directory (e.g., using PowerShell or a script).
Filter/Exclusion: Filter by user account (e.g., Administrator or SYSTEM) and check for known administrative tasks (e.g., log rotation, audit logging).
Scenario: Scripting tool (PowerShell) using ADS for data persistence
Description: A legitimate PowerShell script uses ADS to store configuration or data in a hidden manner (e.g., for secure storage).
Filter/Exclusion: Filter by script execution context (e.g., PowerShell.exe with known legitimate scripts) and check for ADS names associated with known scripting tools.
Scenario: File system compression or indexing using ADS
Description: Windows File System (FAT32/NTFS) compression or indexing services use ADS to store metadata, which can trigger the rule.
Filter/Exclusion: Exclude files with ADS names associated with system or indexing services (e.g., ::$DATA, :Zone.Identifier).
Scenario: Legacy application using ADS for compatibility
Description: An older application (e.g., Microsoft Office, legacy database tools) uses ADS for compatibility or data storage.
Filter/Exclusion: Exclude files with ADS names associated with known legacy applications or check for application-specific ADS usage patterns