ADS Zone.Identifier Deleted By Uncommon Application
Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
Sigma rule (View on GitHub)
1title: ADS Zone.Identifier Deleted By Uncommon Application
2id: 3109530e-ab47-4cc6-a953-cac5ebcc93ae
3related:
4 - id: 7eac0a16-5832-4e81-865f-0268a6d19e4b
5 type: similar
6status: experimental
7description: Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
8references:
9 - https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/
10 - Internal Research
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023/09/04
13tags:
14 - attack.defense_evasion
15 - attack.t1070.004
16logsource:
17 product: windows
18 category: file_delete
19detection:
20 selection:
21 TargetFilename|endswith: ':Zone.Identifier'
22 filter_main_generic:
23 # Note: in some envs this activity might be performed by other software. Apply additional filters as necessary
24 Image|endswith:
25 - ':\Program Files\PowerShell\7\pwsh.exe'
26 - ':\Windows\explorer.exe'
27 - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
28 - ':\Windows\SysWOW64\explorer.exe'
29 - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
30 condition: selection and not 1 of filter_main_*
31falsepositives:
32 - Other third party applications not listed.
33level: medium
References
Related rules
- Suspicious Ping/Copy Command Combination
- Suspicious Ping/Del Command Combination
- Backup Catalog Deleted
- Directory Removal Via Rmdir
- File Deletion Via Del