ADS Zone.Identifier Deleted By Uncommon Application

Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.

Sigma rule (View on GitHub)

 1title: ADS Zone.Identifier Deleted By Uncommon Application
 2id: 3109530e-ab47-4cc6-a953-cac5ebcc93ae
 3related:
 4    - id: 7eac0a16-5832-4e81-865f-0268a6d19e4b
 5      type: similar
 6status: experimental
 7description: Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
 8references:
 9    - https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/
10    - Internal Research
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023/09/04
13modified: 2023/10/18
14tags:
15    - attack.defense_evasion
16    - attack.t1070.004
17logsource:
18    product: windows
19    category: file_delete
20detection:
21    selection:
22        TargetFilename|endswith: ':Zone.Identifier'
23    filter_main_generic:
24        # Note: in some envs this activity might be performed by other software. Apply additional filters as necessary
25        Image|endswith:
26            - ':\Program Files\PowerShell\7-preview\pwsh.exe'
27            - ':\Program Files\PowerShell\7\pwsh.exe'
28            - ':\Windows\explorer.exe'
29            - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
30            - ':\Windows\SysWOW64\explorer.exe'
31            - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
32    condition: selection and not 1 of filter_main_*
33falsepositives:
34    - Other third party applications not listed.
35level: medium

References

Related rules

to-top