Potential Rundll32 Execution With DLL Stored In ADS (9248c7e1-2bf3-4661-a22c-600a8040b446)

Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5)	Attack Pattern	Potential Rundll32 Execution With DLL Stored In ADS (9248c7e1-2bf3-4661-a22c-600a8040b446)	Sigma-Rules	1
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5)	Attack Pattern	2