Date: 10/22/2024
Severity: Low
Summary
Identifies the removal of the "Zone.Identifier" Alternate Data Stream (ADS). Attackers may exploit this to circumvent security measures that utilize the ADS, particularly in Microsoft Office applications.
Indicators of Compromise (IOC) List
TargetFilename | ':Zone.Identifier' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query : | resourcename = "Windows Security" and eventtype = "4660" AND processname like ":Zone.Identifier" |
Detection Query : | technologygroup = "EDR" AND processname like ":Zone.Identifier" |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/file/file_delete/file_delete_win_zone_identifier_ads.yml