Skip to content

Hide Navigation Hide TOC

ADS Zone.Identifier Deleted By Uncommon Application (3109530e-ab47-4cc6-a953-cac5ebcc93ae)

Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.

Cluster A Galaxy A Cluster B Galaxy B Level
ADS Zone.Identifier Deleted By Uncommon Application (3109530e-ab47-4cc6-a953-cac5ebcc93ae) Sigma-Rules File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2