Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: Where can I find information about Alternate Data Stream Detection queries?

EDR: Where can I find information about Alternate Data Stream Detection queries?

Environment

  • EDR (formerly CB Response): Version 7.x and Higher
  • Hosted EDR (formerly CB Response Cloud)

Question

Where can information be found to write queries regarding Alternate Data Stream Detection (ADS)?

Answer

The User Exchange Alternate Data Stream Detection (ADS) has older information about this kind of investigation. An updated version of the query for 7.x EDR and above would look like this:
process_name:msedge.exe AND (filemod:*.iso*\:* OR path:*.iso*\:*)

Additional Notes

  • If more information is necessary please reply in the comment section of the post.
  • Sometimes files get downloaded using "browser_broker.exe" OR "runtimebroker.exe" so it is possible to add these process to the query as well.

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎08-11-2020
Views:
402
Contributors