ADS Zone.Identifier Deleted By Uncommon Application

Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.

Sigma rule (View on GitHub)

 1title: ADS Zone.Identifier Deleted By Uncommon Application
 2id: 3109530e-ab47-4cc6-a953-cac5ebcc93ae
 3related:
 4    - id: 7eac0a16-5832-4e81-865f-0268a6d19e4b
 5      type: similar
 6status: experimental
 7description: Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
 8references:
 9    - https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/
10    - Internal Research
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023/09/04
13tags:
14    - attack.defense_evasion
15    - attack.t1070.004
16logsource:
17    product: windows
18    category: file_delete
19detection:
20    selection:
21        TargetFilename|endswith: ':Zone.Identifier'
22    filter_main_generic:
23        # Note: in some envs this activity might be performed by other software. Apply additional filters as necessary
24        Image|endswith:
25            - ':\Program Files\PowerShell\7\pwsh.exe'
26            - ':\Windows\explorer.exe'
27            - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
28            - ':\Windows\SysWOW64\explorer.exe'
29            - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
30    condition: selection and not 1 of filter_main_*
31falsepositives:
32    - Other third party applications not listed.
33level: medium

References

Related rules

to-top