ADS Zone.Identifier Deleted By Uncommon Application

 1title: ADS Zone.Identifier Deleted By Uncommon Application
 2id: 3109530e-ab47-4cc6-a953-cac5ebcc93ae
 3related:
 4    - id: 7eac0a16-5832-4e81-865f-0268a6d19e4b
 5      type: similar
 6status: test
 7description: Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
 8references:
 9    - https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/
10    - Internal Research
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023-09-04
13modified: 2024-04-26
14tags:
15    - attack.defense-evasion
16    - attack.t1070.004
17logsource:
18    product: windows
19    category: file_delete
20detection:
21    selection:
22        TargetFilename|endswith: ':Zone.Identifier'
23    filter_main_generic:
24        # Note: in some envs this activity might be performed by other software. Apply additional filters as necessary
25        Image:
26            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
27            - 'C:\Program Files\PowerShell\7\pwsh.exe'
28            - 'C:\Windows\explorer.exe'
29            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
30            - 'C:\Windows\SysWOW64\explorer.exe'
31            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
32    filter_optional_browsers_chrome:
33        Image:
34            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
35            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
36    filter_optional_browsers_firefox:
37        Image:
38            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
39            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
40    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
41falsepositives:
42    - Other third party applications not listed.
43level: medium