EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

ADS Zone.Identifier Deleted By Uncommon Application

Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.

MITRE ATT&CK

T1070.004
defense-evasion

Detection Query

selection:
  TargetFilename|endswith: :Zone.Identifier
filter_main_generic:
  Image:
    - C:\Program Files\PowerShell\7-preview\pwsh.exe
    - C:\Program Files\PowerShell\7\pwsh.exe
    - C:\Windows\explorer.exe
    - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    - C:\Windows\SysWOW64\explorer.exe
    - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
filter_optional_browsers_chrome:
  Image:
    - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    - C:\Program Files\Google\Chrome\Application\chrome.exe
filter_optional_browsers_firefox:
  Image:
    - C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    - C:\Program Files\Mozilla Firefox\firefox.exe
filter_optional_browsers_msedge:
  Image:
    - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    - C:\Program Files\Microsoft\Edge\Application\msedge.exe
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2023-09-04

Data Sources

windowsfile_delete

Platforms

windows

References

Tags

attack.defense-evasionattack.t1070.004
Raw Content
title: ADS Zone.Identifier Deleted By Uncommon Application
id: 3109530e-ab47-4cc6-a953-cac5ebcc93ae
related:
    - id: 7eac0a16-5832-4e81-865f-0268a6d19e4b
      type: similar
status: test
description: Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
references:
    - https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-04
modified: 2025-07-04
tags:
    - attack.defense-evasion
    - attack.t1070.004
logsource:
    product: windows
    category: file_delete
detection:
    selection:
        TargetFilename|endswith: ':Zone.Identifier'
    filter_main_generic:
        # Note: in some envs this activity might be performed by other software. Apply additional filters as necessary
        Image:
            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
            - 'C:\Program Files\PowerShell\7\pwsh.exe'
            - 'C:\Windows\explorer.exe'
            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
            - 'C:\Windows\SysWOW64\explorer.exe'
            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
    filter_optional_browsers_chrome:
        Image:
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
    filter_optional_browsers_firefox:
        Image:
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
    filter_optional_browsers_msedge:
        Image:
            - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
            - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Other third party applications not listed.
level: medium