Add DataStreams Field to MFT Rules and Add Part 1 Rules for Suspicious Script and Executable Locations

Add DataStreams Field to MFT Rules and Add Part 1 Rules for Suspicious Script and Executable Locations

Reduce False Positives with Recycle Bin and ADAMNTDS.DIT and NTDS.DIT

Exclude Intel and Temp from root_nonstand_fold as other rules cover this

Add MFT Rules to Cover Root of Program Files and Windows Folders

Add MFT rule for RTLO and add .lnk to most sup_script_exec rules

Author: reece394

rules/mft/adamntds_dit_mft.yml

@@ -33,9 +33,11 @@ fields:
     to: IsDeleted
   - name: HasAlternateDataStreams
     to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
 
 filter:
-  condition: (adamntds and adamntds_1) and not adamntds_2
+  condition: (adamntds and adamntds_1) and not (adamntds_2 or adamntds_3)
 
   adamntds:
     FullPath:
@@ -49,4 +51,8 @@ filter:
     FullPath:
       - 'iProgram Files\Microsoft ADAM\*'
       - 'iWindows\WinSxS*'
-      - 'iWindows\servicing\LCU\*'
+      - 'iWindows\servicing\LCU\*'
+    
+  adamntds_3:
+    FileSize:
+      - 55

rules/mft/advanced_ip_scanner_mft.yml

@@ -33,6 +33,8 @@ fields:
     to: IsDeleted
   - name: HasAlternateDataStreams
     to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
 
 filter:
   condition: ais and (ais_1 or ais_2 or ais_3 or ais_4)

rules/mft/advanced_port_scanner_mft.yml

@@ -33,6 +33,8 @@ fields:
     to: IsDeleted
   - name: HasAlternateDataStreams
     to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
 
 filter:
   condition: aps and (aps_1 or aps_2 or aps_3 or aps_4)

rules/mft/angry_ip_scanner_mft.yml

@@ -33,6 +33,8 @@ fields:
     to: IsDeleted
   - name: HasAlternateDataStreams
     to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
 
 filter:
   condition: ais and (ais_1 or ais_2 or ais_3 or ais_4)

rules/mft/anydesk_mft.yml

@@ -33,6 +33,8 @@ fields:
     to: IsDeleted
   - name: HasAlternateDataStreams
     to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
 
 filter:
   condition: anydesk and (anydesk_1 or anydesk_2 or anydesk_3 or anydesk_4 or anydesk_5 or anydesk_6)

rules/mft/browserscan_mft.yml

@@ -33,6 +33,8 @@ fields:
     to: IsDeleted
   - name: HasAlternateDataStreams
     to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
 
 filter:
   condition: (browserscan and browserscan_loot) or (browserscan_1 and browserscan_2)

rules/mft/filezilla_mft.yml

@@ -33,6 +33,8 @@ fields:
     to: IsDeleted
   - name: HasAlternateDataStreams
     to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
 
 filter:
   condition: filezilla and (filezilla_1 or filezilla_2 or filezilla_3 or filezilla_4)

rules/mft/lsass_dmp_mft.yml

@@ -33,6 +33,8 @@ fields:
     to: IsDeleted
   - name: HasAlternateDataStreams
     to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
 
 filter:
   condition: lsass and (lsass_1 or lsass_2)

rules/mft/megasync_mft.yml

@@ -33,6 +33,8 @@ fields:
     to: IsDeleted
   - name: HasAlternateDataStreams
     to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
 
 filter:
   condition: ms and (ms_1 or ms_2 or ms_3)

rules/mft/mimikatz_mft.yml

@@ -33,6 +33,8 @@ fields:
     to: IsDeleted
   - name: HasAlternateDataStreams
     to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
 
 filter:
   condition: mimikatz