Skip to content

Hide Navigation Hide TOC

Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream (a8f866e1-bdd4-425e-a27a-37619238d9c7)

Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"

Cluster A Galaxy A Cluster B Galaxy B Level
NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5) Attack Pattern Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream (a8f866e1-bdd4-425e-a27a-37619238d9c7) Sigma-Rules 1
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5) Attack Pattern 2