Skip to content

Add DataStreams Field to MFT Rules and Add Part 1 Rules for Suspicious Script and Executable Locations #212

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
FranticTyping merged 3 commits into from
Oct 12, 2025
Merged

Add DataStreams Field to MFT Rules and Add Part 1 Rules for Suspicious Script and Executable Locations #212

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7d734ac
Add DataStreams Field to MFT Rules and Add Part 1 Rules for Suspiciou…
reece394 Dec 29, 2024
2714c15
Resolve level comments
reece394 Jan 4, 2025
1e5c1b0
Fix Regex Problem
reece394 Jan 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions rules/mft/adamntds_dit_mft.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,9 +33,11 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: (adamntds and adamntds_1) and not adamntds_2
condition: (adamntds and adamntds_1) and not (adamntds_2 or adamntds_3)

adamntds:
FullPath:
Expand All @@ -49,4 +51,8 @@ filter:
FullPath:
- 'iProgram Files\Microsoft ADAM\*'
- 'iWindows\WinSxS*'
- 'iWindows\servicing\LCU\*'
- 'iWindows\servicing\LCU\*'

adamntds_3:
FileSize:
- 55
2 changes: 2 additions & 0 deletions rules/mft/advanced_ip_scanner_mft.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: ais and (ais_1 or ais_2 or ais_3 or ais_4)
Expand Down
2 changes: 2 additions & 0 deletions rules/mft/advanced_port_scanner_mft.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: aps and (aps_1 or aps_2 or aps_3 or aps_4)
Expand Down
2 changes: 2 additions & 0 deletions rules/mft/angry_ip_scanner_mft.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: ais and (ais_1 or ais_2 or ais_3 or ais_4)
Expand Down
2 changes: 2 additions & 0 deletions rules/mft/anydesk_mft.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: anydesk and (anydesk_1 or anydesk_2 or anydesk_3 or anydesk_4 or anydesk_5 or anydesk_6)
Expand Down
2 changes: 2 additions & 0 deletions rules/mft/browserscan_mft.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: (browserscan and browserscan_loot) or (browserscan_1 and browserscan_2)
Expand Down
2 changes: 2 additions & 0 deletions rules/mft/filezilla_mft.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: filezilla and (filezilla_1 or filezilla_2 or filezilla_3 or filezilla_4)
Expand Down
2 changes: 2 additions & 0 deletions rules/mft/lsass_dmp_mft.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: lsass and (lsass_1 or lsass_2)
Expand Down
2 changes: 2 additions & 0 deletions rules/mft/megasync_mft.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: ms and (ms_1 or ms_2 or ms_3)
Expand Down
2 changes: 2 additions & 0 deletions rules/mft/mimikatz_mft.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: mimikatz
Expand Down
2 changes: 2 additions & 0 deletions rules/mft/netscan_mft.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: netscan and (netscan_1 or netscan_2 or netscan_3)
Expand Down
2 changes: 2 additions & 0 deletions rules/mft/nirsoft_mft.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: nirsoft and (nirsoft_1 or nirsoft_2 or nirsoft_3)
Expand Down
10 changes: 8 additions & 2 deletions rules/mft/ntds_dit_mft.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,9 +33,11 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: (ntds and ntds_1) and not ntds_2
condition: (ntds and ntds_1) and not (ntds_2 or ntds_3)

ntds:
FullPath:
Expand All @@ -50,4 +52,8 @@ filter:
- 'iWindows\NTDS\NTDS.dit'
- 'iWindows\WinSxS*'
- 'iWindows\servicing\LCU\*'
- 'i*adamntds.dit*'
- 'i*adamntds.dit*'

ntds_3:
FileSize:
- 55
2 changes: 2 additions & 0 deletions rules/mft/processhacker_mft.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: ph and (ph_1 or ph_2 or ph_3 or ph_4)
Expand Down
2 changes: 2 additions & 0 deletions rules/mft/psexec_mft.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: psexec or (key_1 and key_2)
Expand Down
2 changes: 2 additions & 0 deletions rules/mft/pstools_mft.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: pstools or (pstools_1 and pstools_2)
Expand Down
2 changes: 2 additions & 0 deletions rules/mft/rclone_mft.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: rclone or (rclone_1 and rclone_2)
Expand Down
2 changes: 2 additions & 0 deletions rules/mft/rubeus_mft.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: rubeus
Expand Down
2 changes: 2 additions & 0 deletions rules/mft/shadow_dumper_mft.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: shadowdumper
Expand Down
118 changes: 118 additions & 0 deletions rules/mft/sup_script_exec_intel_mft.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,118 @@
---
title: Suspicious Script or Executable Location - Intel
group: MFT
description: Suspicious Script or Executable in a different location than standard. Potential Threat Actor Activity.
authors:
- Reece394


kind: mft
level: medium
status: stable
timestamp: StandardInfoCreated


fields:
- name: FileNamePath
to: FullPath
- name: StandardInfoLastModified0x10
to: StandardInfoLastModified
- name: StandardInfoLastAccess0x10
to: StandardInfoLastAccess
- name: FileNameCreated0x30
to: FileNameCreated
- name: FileNameLastModified0x30
to: FileNameLastModified
- name: FileNameLastAccess0x30
to: FileNameLastAccess
- name: FileSize
to: FileSize
- name: IsADirectory
to: IsADirectory
- name: IsDeleted
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: sup and directory

sup:
FullPath:
- 'i*.bat'
- 'i*.cmd'
- 'i*.cpl'
- 'i*.ex'
- 'i*.ex_'
- 'i*.exe'
- 'i*.jse'
- 'i*.msc'
- 'i*.ps1'
- 'i*.ps1xml'
- 'i*.ps2'
- 'i*.ps2xml'
- 'i*.psc1'
- 'i*.psc2'
- 'i*.msh'
- 'i*.msh1'
- 'i*.msh2'
- 'i*.mshxml'
- 'i*.msh1xml'
- 'i*.msh2xml'
- 'i*.reg'
- 'i*.vb'
- 'i*.vbe'
- 'i*.ws'
- 'i*.wsf'
- 'i*.wsc'
- 'i*.hta'
- 'i*.vbs'
- 'i*.com'
- 'i*.dll'
- 'i*.sys'
- 'i*.isu'
- 'i*.scr'
- 'i*.mst'
- 'i*.job'
- 'i*.paf'
- 'i*.sct'
- 'i*.gadget'
- 'i*.pif'
- 'i*.shb'
- 'i*.vbscript'
- 'i*.inf'
- 'i*.inf1'
- 'i*.shs'
- 'i*.bin'
- 'i*.ins'
- 'i*.u3p'
- 'i*.wsh'
- 'i*.inx'
- 'i*.js'
- 'i*.msi'
- 'i*.msp'
- 'i*.rgs'
- 'i*.sh'
- 'i*.run'
- 'i*.jar'
- 'i*.py'
- 'i*.py3'
- 'i*.pyc'
- 'i*.pyo'
- 'i*.pyw'
- 'i*.pyx'
- 'i*.pyd'
- 'i*.pxd'
- 'i*.pyi'
- 'i*.pyz'
- 'i*.pl'
- 'i*.rb'
- 'i*.ocx'
- 'i*.scf'
- 'i*.lnk'

directory:
FullPath:
- 'iIntel\*'
Loading