This detection rule identifies the suspicious creation of Alternate Data Streams (ADS) on Windows file systems, which is typically uncommon for legitimate files. Attackers often misuse ADS to conceal malware or other unauthorized information within targeted files. By detecting the creation of ADS on certain file types, this rule aims to uncover attempts by adversaries to hide malicious activities. The rule operates by analyzing events from various logs, specifically looking for file creation events with specific characteristics, while ignoring known benign processes and paths. It also provides a detailed investigation guide and response steps to assist analysts in triaging detected incidents effectively.