Techniques
Sample rules
ADS Zone.Identifier Deleted By Uncommon Application
- source: sigma
- technicques:
- t1070
- t1070.004
Description
Detects the deletion of the “Zone.Identifier” ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
Image:
- C:\Program Files\PowerShell\7-preview\pwsh.exe
- C:\Program Files\PowerShell\7\pwsh.exe
- C:\Windows\explorer.exe
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- C:\Windows\SysWOW64\explorer.exe
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
filter_optional_browsers_chrome:
Image:
- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
- C:\Program Files\Google\Chrome\Application\chrome.exe
filter_optional_browsers_firefox:
Image:
- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
- C:\Program Files\Mozilla Firefox\firefox.exe
selection:
TargetFilename|endswith: :Zone.Identifier