ADS Zone.Identifier Deleted By Uncommon Application
Nasreddine Bencherchali (Nextron Systems)
Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
attack.defense_evasion attack.t1070.004 DEMO
Link to Public Repo
Merge PR #4419 from @frack113 - New Rules Related To Zone.Identifier ADS Deletion