Where can I find information about Alternate Data Stream Detection queries?
search cancel

Where can I find information about Alternate Data Stream Detection queries?

book

Article ID: 290852

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Where can information be found to write queries regarding Alternate Data Stream Detection (ADS)?

Environment

  • Carbon Black EDR: Version 7.x and Higher

Resolution

Threat Research article Alternate Data Stream Detection (ADS) has older information about this kind of investigation. An updated version of the query for 7.x EDR and above would look like this: 
process_name:msedge.exe AND (filemod:.iso*\:* OR path:*.iso*\:*)

Additional Information

  • If more information is necessary please reply in the comment section of the post.
  • Sometimes files get downloaded using "browser_broker.exe" OR "runtimebroker.exe" so it is possible to add these process to the query as well.
Powered by Wolken Software