Environment
- Endpoint Standard Sensor: 3.6.0 and higher
- Microsoft Windows: All Supported Versions
Symptoms
Policy Applied blocks on processes that attempt to execute content from an alternate data stream. Example would be:
The application <process path> attempted to execute content from an alternate data stream <target executable content>. A Deny policy action was applied.
Cause
There is a new feature in the 3.6.0 sensor and higher, that enforces a rule where all forms of execution with an NTFS Alternate Data Stream.
Resolution
In order to prevent legitimate applications from getting blocked by this DRE rule, you would need to add the target hash of the content being blocked, to the allowed list of hashes for your organization.
Additional Notes
- Executing content out of an Alternate Data Stream is a tactic often used by malicious actors, but there may be a few legitimate applications that use this tactic as well.
- This blocking feature is limited to active Endpoint Standard sensors. If you've determined that the execution is legitimate, you can add the hash of the blocked content in the ADS of the Company Approved list. Please note that other forms of approved reputation such as Common Approved will still not be allowed to load from within the ADS to limit exposure to live off the land binaries running out of ADS's.
- For more information on hiding artifacts in NTFS file attributes, please see the Mitre organization KB at: https://attack.mitre.org/techniques/T1564/004/
Related Content
