This detection rule identifies the writing of executable content to an Alternate Data Stream (ADS) in the NTFS file system, specifically monitoring Sysmon Event ID 15. It utilizes regex to filter for files that possess a Portable Executable (PE) structure, leveraging the IMPHASH value to ensure that the written content is not benign. The importance of this rule lies in its ability to detect potential threat actor activities that may involve staging malicious code in hidden file areas, potentially for persistence or future execution. Confirming such activities could indicate attackers attempting to execute hidden payloads, maintain unauthorized access, or escalate privileges within the environment. Implementation requires an environment that ingests Sysmon data, particularly focusing on Event ID 15, with hashing capabilities enabled.