Nterl0k - T1564.004 NTFS Alternate Data Streams abuse

[nterl0k]

testing data and script for upcoming detection submission

[patel-bhavin]

@nterl0k : Hello Steven! thanks for contributing this to attack data! The ps1 file in here is better suited an atomic in this project: https://github.com/redcanaryco/atomic-red-team would be an awesome contribution! I can work with you to your atomic published in that repo as some of us on STRT are also maintainers of that project. can you perhaps update this PR after removing the ps file from here? We also suggest adding the ps file as a github gist on your profile and link it in the detection references.

[nterl0k]

File removed from repo

I'll look at making PR to atomic in the future.

Regards,

Steven.

-------- Original message -------- From: Bhavin Patel @.> Date: 12/11/23 5:34 PM (GMT-05:00) To: splunk/attack_data @.> Cc: Steven Dick @.>, Mention @.> Subject: Re: [splunk/attack_data] Nterl0k - T1564.004 NTFS Alternate Data Streams abuse (PR #850)

@nterl0khttps://github.com/nterl0k : Hello Steven! thanks for contributing this to attack data! The ps1 file in here is better suited an atomic in this project: https://github.com/redcanaryco/atomic-red-team would be an awesome contribution! I can work with you to your atomic published in that repo as some of us on STRT are also maintainers of that project. can you perhaps update this PR after removing the ps file from here? We also suggest adding the ps file as a github gist on your profile and link it in the detection references.

— Reply to this email directly, view it on GitHubhttps://github.com/splunk/attack_data/pull/850#issuecomment-1850999549, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AJIYP7WKIZVR56KZK6QCYU3YI6C6TAVCNFSM6AAAAAA7GR4K62VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNJQHE4TSNJUHE. You are receiving this because you were mentioned.Message ID: @.***>

[patel-bhavin]

wow! that was quick. 👍