Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

ADS Zone.Identifier Deleted By Uncommon Application

Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Mon Sep 04Updated Fri Jul 043109530e-ab47-4cc6-a953-cac5ebcc93aewindows
Log Source
WindowsFile Delete
ProductWindows← raw: windows
CategoryFile Delete← raw: file_delete
Detection Logic
Detection Logic5 selectors
detection:
    selection:
        TargetFilename|endswith: ':Zone.Identifier'
    filter_main_generic:
        # Note: in some envs this activity might be performed by other software. Apply additional filters as necessary
        Image:
            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
            - 'C:\Program Files\PowerShell\7\pwsh.exe'
            - 'C:\Windows\explorer.exe'
            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
            - 'C:\Windows\SysWOW64\explorer.exe'
            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
    filter_optional_browsers_chrome:
        Image:
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
    filter_optional_browsers_firefox:
        Image:
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
    filter_optional_browsers_msedge:
        Image:
            - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
            - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
False Positives

Other third party applications not listed.

References
1
Resolving title…
securityliterate.com
2
Resolving title…
Internal Research
MITRE ATT&CK
Related Rules
SimilarThreat Huntlow

ADS Zone.Identifier Deleted

Detects the deletion of the "Zone.Identifier" ADS. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
3109530e-ab47-4cc6-a953-cac5ebcc93ae
Status
test
Level
medium
Type
Detection
Created
Mon Sep 04
Modified
Fri Jul 04
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml
Raw Tags
attack.defense-evasionattack.t1070.004
View on GitHub