This detection rule focuses on identifying the use of a specific technique in the Windows NTFS filesystem that allows the creation of hidden directories via the `::$index_allocation` stream. When a command includes this stream reference, it can facilitate concealment of files or directories, preventing access or visibility from common file navigation tools like `explorer.exe` and `PowerShell`. Such an operation could be a tactic employed by malicious actors to hide artifacts from forensic tools and security monitoring. The detection is be implemented through monitoring command lines for occurrences of `::$index_allocation`, with a medium severity level due to the potential misuse of the technique in attacks aimed at evading detection and maintaining persistence. The rule has a low likelihood of false positives, making it a reliable detection approach for unusual command-line behavior in Windows environments.