ADS Zone.Identifier Deleted By Uncommon Application

Rule Info

Name
ADS Zone.Identifier Deleted By Uncommon Application
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
Reference
https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/
Date
2023-09-04 00:00:00
Modified
2024-04-26 00:00:00
Id
3109530e-ab47-4cc6-a953-cac5ebcc93ae
Tags
attack.defense-evasion attack.t1070.004
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=3109530e-ab47-4cc6-a953-cac5ebcc93ae

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #5216 from @nasbench - Promote older rules status from `experimental` to `test`
2025-03-05
64852d95a
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
Nasreddine Bencherchali
Merge PR #4837 from @nasbench - fix fp reported in #4820
2024-04-26
481337a8c
Nasreddine Bencherchali
Merge PR #4491 from @nasbench - Rule Updates & Fixes
2023-10-23
edf0ff5cc
frack113
Merge PR #4419 from @frack113 - New Rules Related To Zone.Identifier ADS Deletion
2023-09-06
5884d9afd
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022