This detection rule identifies the creation of Alternate Data Streams (ADS) in Windows at the root of a volume. ADS allows files to store multiple streams of data, which can be exploited by attackers to conceal malicious tools or activity. ADS created at the volume root can evade detection by standard utilities, making this detection crucial for identifying potential threats. The rule employs EQL (Event Query Language) to look for specific events categorized under 'file' and 'process', targeting both creation and process execution instances matched against a regex pattern that matches volume roots (e.g., C:\). Additionally, it provides investigation steps and tips to discern false positives originating from legitimate applications while outlining remediation strategies in case malicious activity is confirmed.