This analytic rule is designed to detect potentially malicious behavior associated with the execution of processes that use alternate data streams (ADS) within the NTFS file system on Windows systems. Alternate data streams enable files to contain hidden data that is not visible in standard file metadata, making it a useful technique for evading detection. The rule specifically monitors process execution events, capturing and analyzing data from Windows Event Log Security (ID 4688) and Sysmon Event ID 1. It is aimed at certain processes that are commonly leveraged by threat actors for malicious purposes. By using a regular expression to filter for ADS, the rule effectively narrows down relevant logs that indicate the execution of processes accessing hidden streams. If a process is found to execute from an alternate data stream, it raises an alert, indicating a potential security incident that should be investigated for further risks to the system and network.