Environment
- EDR (formerly CB Response): Version 7.x and Higher
- Hosted EDR (formerly CB Response Cloud)
Question
Where can information be found to write queries regarding Alternate Data Stream Detection (ADS)?
Answer
The User Exchange
Alternate Data Stream Detection (ADS) has older information about this kind of investigation. An updated version of the query for 7.x EDR and above would look like this:
process_name:msedge.exe AND (filemod:*.iso*\:* OR path:*.iso*\:*)
Additional Notes
- If more information is necessary please reply in the comment section of the post.
- Sometimes files get downloaded using "browser_broker.exe" OR "runtimebroker.exe" so it is possible to add these process to the query as well.
Related Content
