Threat Huntlowtest

ADS Zone.Identifier Deleted

Detects the deletion of the "Zone.Identifier" ADS. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Mon Sep 047eac0a16-5832-4e81-865f-0268a6d19e4bwindows

Hunting Hypothesis

Log Source

WindowsFile Delete

ProductWindows← raw: windows

CategoryFile Delete← raw: file_delete

Detection Logic

detection:
    selection:
        TargetFilename|endswith: ':Zone.Identifier'
    condition: selection

False Positives

Likely

References

Resolving title…

securityliterate.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1070.004 · File Deletion

Other

detection.threat-hunting

Related Rules

SimilarDetectionmedium

ADS Zone.Identifier Deleted By Uncommon Application

Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

7eac0a16-5832-4e81-865f-0268a6d19e4b

Status

test

Level

low

Type

Threat Hunt

Created

Mon Sep 04

Author

François Hubaut

Path

rules-threat-hunting/windows/file/file_delete/file_delete_win_zone_identifier_ads.yml

Raw Tags

attack.defense-evasionattack.t1070.004detection.threat-hunting

View on GitHub