This rule is designed to detect the execution of processes that utilize Alternate Data Streams (ADS) in NTFS. Ads are often used by adversaries to conceal files and provide a means of evasion from common detection techniques. The detection focuses on process creation events where the command line includes `txt:` indicating an attempt to access an ADS, and checks for specific command line patterns associated with tools that could manipulate these streams. Tools such as `makecab`, `reg`, `regedit`, and `esentutl` are included to identify suspicious usage that exploits ADS for nefarious purposes. By requiring the presence of an ADS command while matching one of the suspicious tools, the rule helps in identifying hidden executions that otherwise may pass under the radar. The rule leverages data from Windows process creation logs to identify potential misuse of features intended for benign purposes.