This detection rule identifies processes that are executed from an Alternate Data Stream (ADS) on Windows systems. ADS is a feature of the NTFS file system that allows multiple streams of data to be associated with a single file. Malicious actors may exploit this feature to conceal harmful activities, making it a common tactic for evading detection. The rule triggers an alert when it detects a process starting with specific argument patterns indicative of ADS usage, thus providing a mechanism for identifying potential threat activity. Investigation steps are provided to guide analysts in confirming the legitimacy of flagged events, including examining process details, correlating with other security logs, and recognizing patterns that may indicate compromise. False positives are outlined, emphasizing legitimate use cases that might trigger the detection, alongside recommended remediation steps to mitigate potential threats effectively.