This analytic detection rule focuses on identifying the creation of Alternate Data Streams (ADS) that contain Base64 encoded content on Windows systems. Leveraging Sysmon's EventID 15, which logs file creation events, this detection aims to uncover hidden streams that can conceal malicious payloads. By tracking the existence of such streams, security operations teams (SOCs) can monitor for potential malware activities, as attackers often use ADS to hide executables, scripts, or configuration data. The presence of Base64 content can indicate an evasion tactic used by malware to protect its footprint. The detection rule utilizes regex to filter out non-relevant entries and extracts critical information such as process details and file hashes. If this activity is confirmed as malicious, it suggests that an attacker may have established persistence or accessed sensitive information without detection.