Sysmon Alert Details
Alert ID: SYSMON-HIDE-ARTIFACTS-1564-7842 Alert Time: 2024-02-20 14:15:33 EST Severity: HIGH (82/100) Source: Sysmon (Event ID 15 – Alternate Data Stream Created) Rule: “NTFS Alternate Data Stream Created – Potential Hidden Data” MITRE ATT&CK: T1564.004 – Hide Artifacts: NTFS File Attributes
Alert Details:
Event ID: 15 (Alternate Data Stream Created) Time: 14:10 EST Host: DEV-WS-112 (Development Workstation) User: alexchen (Alex Chen, Developer)
File: C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\UpdateTask (Zone.Identifier stream) Stream Name: Zone.Identifier Stream Size: 26 bytes
Additional Sysmon Events:
Event ID 11 (File Create):
Time: 14:09 EST
Path: C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\UpdateTask
Process: powershell.exe (PID: 4789)
Command: Out-File -FilePath C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\UpdateTask -Stream Zone.Identifier -Value “[ZoneTransfer]`nZoneId=3”
Event ID 1 (Process Creation):
Time: 14:08 EST
Process: powershell.exe
Command: powershell -Command “Add-Content -Path C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\UpdateTask -Stream Zone.Identifier -Value ‘[ZoneTransfer]`nZoneId=3′”
Detection Logic:
Alternate Data Stream (ADS) created on a system file
ADS used to hide data (Zone.Identifier marks file as downloaded from internet)
File path is legitimate Windows Update task location
Process using ADS to hide origin of file
Technique used to evade security tools that don’t scan ADS
Additional Context:
File UpdateTask is actually a malicious scheduled task XML
Hidden ADS used to mark it as “safe” (ZoneId=3 means internet)
Scheduled task created earlier by malware
ADS hides the fact that file came from internet
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Sysmon events
Splunk, Sysmon Logs
Confirmed ADS creation on scheduled task file
2. File Analysis
Examine UpdateTask file
PowerShell, Notepad
Malicious scheduled task XML (runs PowerShell)
3. Scheduled Task Check
List tasks
schtasks, PowerShell
Malicious task “WindowsUpdateTask” found
4. Immediate Action
Disable and delete task
schtasks /delete
Task removed
5. ADS Removal
Remove ADS stream
powershell Remove-Item -Stream
ADS deleted
6. Threat Hunting
Check for other ADS
Sysmon, Splunk
No other suspicious ADS found
Jira Incident Report
Ticket: SOC-2024-102 Summary: T1564 – Malicious Scheduled Task Hidden via Alternate Data Stream Status: RESOLVED Resolution: MALICIOUS – Artifact Removed Priority: P2 – MEDIUM Labels: T1564, hide-artifacts, ads, alternate-data-stream, sysmon Components: Endpoint-Security, Persistence
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Sysmon Event ID 15 (Alternate Data Stream Created).
Alert: “NTFS Alternate Data Stream Created – Potential Hidden Data”.
Host: DEV-WS-112 (Development Department, user alexchen).
File: C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\UpdateTask (Zone.Identifier stream).
Time: 2024-02-20 14:15 EST.
Technique: MITRE ATT&CK T1564.004 – Hide Artifacts: NTFS File Attributes.
2. Technical Analysis:
Attack Chain:
13:45 – User clicked phishing link
13:46 – Malware downloaded
13:50 – Malware created scheduled task XML file (UpdateTask)
13:51 – Malware used PowerShell to add Zone.Identifier ADS
13:52 – ADS marks file as “downloaded from internet” (ZoneId=3)
13:53 – Malware registers scheduled task using schtasks
14:08 – PowerShell executed to create ADS (detected)
14:10 – Sysmon alerts
Scheduled Task Details:
Task Name: WindowsUpdateTask (masquerading)
Task XML Location: C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\UpdateTask
Trigger: Daily at 3 AM
Action: PowerShell encoded reverse shell
Hidden via: ADS (Zone.Identifier) to avoid suspicion
ADS Technique:
Stream: Zone.Identifier
Purpose: Indicates file originated from internet zone
Abuse: Malware adds this stream to make file appear legitimate
Evasion: Many security tools ignore ADS when scanning
User Activity:
User clicked link in email about “security update”
Unaware of malware installation
3. Investigation Findings:
Timeline:
13:45 – Phishing link clicked
13:50-13:53 – Scheduled task created
14:08 – ADS added
14:10 – Sysmon alert
14:15 – SOC investigates
14:18 – Task deleted, ADS removed
Indicators of Compromise (IoCs):
Files:
– C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\UpdateTask (with ADS)
Scheduled Task:
– Name: WindowsUpdateTask
– Action: PowerShell reverse shell
Network:
– C2: 185.143.221[.]89:443
4. Containment Actions:
Immediate Actions:
Deleted malicious scheduled task.
Removed ADS stream from file.
Deleted the task XML file.
Isolated host temporarily.
Host Remediation:
Full scan (no other malware).
Verified no other ADS present.
User Remediation:
Password reset.
Phishing training assigned.
5. Root Cause Analysis:
Primary Cause: User clicked phishing link, leading to malware.
Contributing Factors:
No ASR rule blocking scheduled task creation.
ADS not monitored (until Sysmon).
6. Business Impact:
Operational Impact: Developer workstation offline for 1 hour.
Data Exposure: None.
7. Remediation & Prevention:
Completed Actions:
Malicious task removed.
ADS deleted.
User educated.
Technical Controls Enhanced:
Created Sysmon rule for ADS creation on system directories.
Enhanced scheduled task monitoring.
Enabled scanning of ADS in antivirus.
8. Conclusion:
Attackers used an Alternate Data Stream to hide the origin of a malicious scheduled task file. Sysmon detected the ADS creation, leading to discovery and removal of the hidden persistence mechanism.
Closure Rationale: Malicious task removed; ADS deleted; controls enhanced.
Analyst: [Walter White], SOC Analyst Date: 2024-02-20 15:30 EST