this rule isn't looking for any particular binary characteristics. as legitimate installers and programs were seen embedding hidden binaries in their ads. some false positives are expected from browser processes and similar.

t1564
t1564.004
windows
sigma

Techniques

t1564
t1564.004

Sample rules

Hidden Executable In NTFS Alternate Data Stream

source: sigma
technicques:
- t1564
- t1564.004

Description

Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_null:
  Hash|contains: IMPHASH=00000000000000000000000000000000
selection:
  Hash|contains: IMPHASH=