sigmalowHunting

ADS Zone.Identifier Deleted

Detects the deletion of the "Zone.Identifier" ADS. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.

MITRE ATT&CK

T1070.004

Detection Query

selection:
  TargetFilename|endswith: :Zone.Identifier
condition: selection

Author

frack113

Created

2023-09-04

Data Sources

windowsfile_delete

Platforms

windows

References

https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/

Tags

attack.stealthattack.t1070.004detection.threat-hunting

Raw Content

title: ADS Zone.Identifier Deleted
id: 7eac0a16-5832-4e81-865f-0268a6d19e4b
related:
    - id: 3109530e-ab47-4cc6-a953-cac5ebcc93ae
      type: similar
status: test
description: Detects the deletion of the "Zone.Identifier" ADS. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
references:
    - https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/
author: frack113
date: 2023-09-04
tags:
    - attack.stealth
    - attack.t1070.004
    - detection.threat-hunting
logsource:
    product: windows
    category: file_delete
detection:
    selection:
        TargetFilename|endswith: ':Zone.Identifier'
    condition: selection
falsepositives:
    - Likely
level: low