Skip to content

Hide Navigation Hide TOC

ADS Zone.Identifier Deleted By Uncommon Application (3109530e-ab47-4cc6-a953-cac5ebcc93ae)

Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.

Cluster A Galaxy A Cluster B Galaxy B Level
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern ADS Zone.Identifier Deleted By Uncommon Application (3109530e-ab47-4cc6-a953-cac5ebcc93ae) Sigma-Rules 1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2