WithSecureLabs
diff --git a/‎rules/mft/adamntds_dit_mft.yml
+8-2 b/‎rules/mft/adamntds_dit_mft.yml
+8-2
diff --git a/‎rules/mft/advanced_ip_scanner_mft.yml
+2 b/‎rules/mft/advanced_ip_scanner_mft.yml
+2
diff --git a/‎rules/mft/advanced_port_scanner_mft.yml
+2 b/‎rules/mft/advanced_port_scanner_mft.yml
+2
diff --git a/‎rules/mft/angry_ip_scanner_mft.yml
+2 b/‎rules/mft/angry_ip_scanner_mft.yml
+2
diff --git a/‎rules/mft/anydesk_mft.yml
+2 b/‎rules/mft/anydesk_mft.yml
+2
diff --git a/‎rules/mft/browserscan_mft.yml
+2 b/‎rules/mft/browserscan_mft.yml
+2
diff --git a/‎rules/mft/filezilla_mft.yml
+2 b/‎rules/mft/filezilla_mft.yml
+2
diff --git a/‎rules/mft/lsass_dmp_mft.yml
+2 b/‎rules/mft/lsass_dmp_mft.yml
+2
diff --git a/‎rules/mft/megasync_mft.yml
+2 b/‎rules/mft/megasync_mft.yml
+2
diff --git a/‎rules/mft/mimikatz_mft.yml
+2 b/‎rules/mft/mimikatz_mft.yml
+2
diff --git a/‎rules/mft/netscan_mft.yml
+2 b/‎rules/mft/netscan_mft.yml
+2
diff --git a/‎rules/mft/nirsoft_mft.yml
+2 b/‎rules/mft/nirsoft_mft.yml
+2
diff --git a/‎rules/mft/ntds_dit_mft.yml
+8-2 b/‎rules/mft/ntds_dit_mft.yml
+8-2
diff --git a/‎rules/mft/processhacker_mft.yml
+2 b/‎rules/mft/processhacker_mft.yml
+2
diff --git a/‎rules/mft/psexec_mft.yml
+2 b/‎rules/mft/psexec_mft.yml
+2
diff --git a/‎rules/mft/pstools_mft.yml
+2 b/‎rules/mft/pstools_mft.yml
+2
diff --git a/‎rules/mft/rclone_mft.yml
+2 b/‎rules/mft/rclone_mft.yml
+2
diff --git a/‎rules/mft/rubeus_mft.yml
+2 b/‎rules/mft/rubeus_mft.yml
+2
diff --git a/‎rules/mft/shadow_dumper_mft.yml
+2 b/‎rules/mft/shadow_dumper_mft.yml
+2
diff --git a/‎rules/mft/sup_script_exec_intel_mft.yml
+118 b/‎rules/mft/sup_script_exec_intel_mft.yml
+118
@@ -33,9 +33,11 @@ fields:
     to: IsDeleted
   - name: HasAlternateDataStreams
     to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
 
 filter:
-  condition: (adamntds and adamntds_1) and not adamntds_2
+  condition: (adamntds and adamntds_1) and not (adamntds_2 or adamntds_3)
 
   adamntds:
     FullPath:
@@ -49,4 +51,8 @@ filter:
     FullPath:
       - 'iProgram Files\Microsoft ADAM\*'
       - 'iWindows\WinSxS*'
-      - 'iWindows\servicing\LCU\*'
+      - 'iWindows\servicing\LCU\*'
+    
+  adamntds_3:
+    FileSize:
+      - 55
@@ -33,6 +33,8 @@ fields:
     to: IsDeleted
   - name: HasAlternateDataStreams
     to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
 
 filter:
   condition: ais and (ais_1 or ais_2 or ais_3 or ais_4)
 
@@ -33,6 +33,8 @@ fields:
     to: IsDeleted
   - name: HasAlternateDataStreams
     to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
 
 filter:
   condition: aps and (aps_1 or aps_2 or aps_3 or aps_4)
 
@@ -33,6 +33,8 @@ fields:
     to: IsDeleted
   - name: HasAlternateDataStreams
     to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
 
 filter:
   condition: ais and (ais_1 or ais_2 or ais_3 or ais_4)
 
@@ -33,6 +33,8 @@ fields:
     to: IsDeleted
   - name: HasAlternateDataStreams
     to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
 
 filter:
   condition: anydesk and (anydesk_1 or anydesk_2 or anydesk_3 or anydesk_4 or anydesk_5 or anydesk_6)
 
@@ -33,6 +33,8 @@ fields:
     to: IsDeleted
   - name: HasAlternateDataStreams
     to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
 
 filter:
   condition: (browserscan and browserscan_loot) or (browserscan_1 and browserscan_2)
 
@@ -33,6 +33,8 @@ fields:
     to: IsDeleted
   - name: HasAlternateDataStreams
     to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
 
 filter:
   condition: filezilla and (filezilla_1 or filezilla_2 or filezilla_3 or filezilla_4)
 
@@ -33,6 +33,8 @@ fields:
     to: IsDeleted
   - name: HasAlternateDataStreams
     to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
 
 filter:
   condition: lsass and (lsass_1 or lsass_2)
 
@@ -33,6 +33,8 @@ fields:
     to: IsDeleted
   - name: HasAlternateDataStreams
     to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
 
 filter:
   condition: ms and (ms_1 or ms_2 or ms_3)
 
@@ -33,6 +33,8 @@ fields:
     to: IsDeleted
   - name: HasAlternateDataStreams
     to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
 
 filter:
   condition: mimikatz
 
@@ -33,6 +33,8 @@ fields:
     to: IsDeleted
   - name: HasAlternateDataStreams
     to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
 
 filter:
   condition: netscan and (netscan_1 or netscan_2 or netscan_3)
 
@@ -33,6 +33,8 @@ fields:
     to: IsDeleted
   - name: HasAlternateDataStreams
     to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
 
 filter:
   condition: nirsoft and (nirsoft_1 or nirsoft_2 or nirsoft_3)
 
@@ -33,9 +33,11 @@ fields:
     to: IsDeleted
   - name: HasAlternateDataStreams
     to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
 
 filter:
-  condition: (ntds and ntds_1) and not ntds_2
+  condition: (ntds and ntds_1) and not (ntds_2 or ntds_3)
 
   ntds:
     FullPath:
@@ -50,4 +52,8 @@ filter:
       - 'iWindows\NTDS\NTDS.dit'
       - 'iWindows\WinSxS*'
       - 'iWindows\servicing\LCU\*'
-      - 'i*adamntds.dit*'
+      - 'i*adamntds.dit*'
+
+  ntds_3:
+    FileSize:
+      - 55
@@ -33,6 +33,8 @@ fields:
     to: IsDeleted
   - name: HasAlternateDataStreams
     to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
 
 filter:
   condition: ph and (ph_1 or ph_2 or ph_3 or ph_4)
 
@@ -33,6 +33,8 @@ fields:
     to: IsDeleted
   - name: HasAlternateDataStreams
     to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
 
 filter:
   condition: psexec or (key_1 and key_2)
 
@@ -33,6 +33,8 @@ fields:
     to: IsDeleted
   - name: HasAlternateDataStreams
     to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
 
 filter:
   condition: pstools or (pstools_1 and pstools_2)
 
@@ -33,6 +33,8 @@ fields:
     to: IsDeleted
   - name: HasAlternateDataStreams
     to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
 
 filter:
   condition: rclone or (rclone_1 and rclone_2)
 
@@ -33,6 +33,8 @@ fields:
     to: IsDeleted
   - name: HasAlternateDataStreams
     to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
 
 filter:
   condition: rubeus
 
@@ -33,6 +33,8 @@ fields:
     to: IsDeleted
   - name: HasAlternateDataStreams
     to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
 
 filter:
   condition: shadowdumper
 
@@ -0,0 +1,118 @@
+---
+title: Suspicious Script or Executable Location - Intel
+group: MFT
+description: Suspicious Script or Executable in a different location than standard. Potential Threat Actor Activity.
+authors:
+  - Reece394
+
+
+kind: mft
+level: medium
+status: stable
+timestamp: StandardInfoCreated
+
+
+fields:
+  - name: FileNamePath
+    to: FullPath
+  - name: StandardInfoLastModified0x10
+    to: StandardInfoLastModified
+  - name: StandardInfoLastAccess0x10
+    to: StandardInfoLastAccess
+  - name: FileNameCreated0x30
+    to: FileNameCreated
+  - name: FileNameLastModified0x30
+    to: FileNameLastModified
+  - name: FileNameLastAccess0x30
+    to: FileNameLastAccess
+  - name: FileSize
+    to: FileSize
+  - name: IsADirectory
+    to: IsADirectory
+  - name: IsDeleted
+    to: IsDeleted
+  - name: HasAlternateDataStreams
+    to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
+
+filter:
+  condition: sup and directory
+
+  sup:
+    FullPath:
+      - 'i*.bat'
+      - 'i*.cmd'
+      - 'i*.cpl'
+      - 'i*.ex'
+      - 'i*.ex_'
+      - 'i*.exe'
+      - 'i*.jse'
+      - 'i*.msc'
+      - 'i*.ps1'
+      - 'i*.ps1xml'
+      - 'i*.ps2'
+      - 'i*.ps2xml'
+      - 'i*.psc1'
+      - 'i*.psc2'
+      - 'i*.msh'
+      - 'i*.msh1'
+      - 'i*.msh2'
+      - 'i*.mshxml'
+      - 'i*.msh1xml'
+      - 'i*.msh2xml'
+      - 'i*.reg'
+      - 'i*.vb'
+      - 'i*.vbe'
+      - 'i*.ws'
+      - 'i*.wsf'
+      - 'i*.wsc'
+      - 'i*.hta'
+      - 'i*.vbs'
+      - 'i*.com'
+      - 'i*.dll'
+      - 'i*.sys'
+      - 'i*.isu'
+      - 'i*.scr'
+      - 'i*.mst'
+      - 'i*.job'
+      - 'i*.paf'
+      - 'i*.sct'
+      - 'i*.gadget'
+      - 'i*.pif'
+      - 'i*.shb'
+      - 'i*.vbscript'
+      - 'i*.inf'
+      - 'i*.inf1'
+      - 'i*.shs'
+      - 'i*.bin'
+      - 'i*.ins'
+      - 'i*.u3p'
+      - 'i*.wsh'
+      - 'i*.inx'
+      - 'i*.js'
+      - 'i*.msi'
+      - 'i*.msp'
+      - 'i*.rgs'
+      - 'i*.sh'
+      - 'i*.run'
+      - 'i*.jar'
+      - 'i*.py'
+      - 'i*.py3'
+      - 'i*.pyc'
+      - 'i*.pyo'
+      - 'i*.pyw'
+      - 'i*.pyx'
+      - 'i*.pyd'
+      - 'i*.pxd'
+      - 'i*.pyi'
+      - 'i*.pyz'
+      - 'i*.pl'
+      - 'i*.rb'
+      - 'i*.ocx'
+      - 'i*.scf'
+      - 'i*.lnk'
+
+  directory:
+    FullPath:
+      - 'iIntel\*'