The deletion of Zone.Identifier by an uncommon application indicates potential adversary tampering with file attributes to evade detection or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that manipulate file metadata to hide malicious activity.
Detection Rule
title: ADS Zone.Identifier Deleted By Uncommon Application
id: 3109530e-ab47-4cc6-a953-cac5ebcc93ae
related:
- id: 7eac0a16-5832-4e81-865f-0268a6d19e4b
type: similar
status: test
description: Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
references:
- https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-04
modified: 2025-07-04
tags:
- attack.defense-evasion
- attack.t1070.004
logsource:
product: windows
category: file_delete
detection:
selection:
TargetFilename|endswith: ':Zone.Identifier'
filter_main_generic:
# Note: in some envs this activity might be performed by other software. Apply additional filters as necessary
Image:
- 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
- 'C:\Program Files\PowerShell\7\pwsh.exe'
- 'C:\Windows\explorer.exe'
- 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
- 'C:\Windows\SysWOW64\explorer.exe'
- 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
filter_optional_browsers_chrome:
Image:
- 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
- 'C:\Program Files\Google\Chrome\Application\chrome.exe'
filter_optional_browsers_firefox:
Image:
- 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
- 'C:\Program Files\Mozilla Firefox\firefox.exe'
filter_optional_browsers_msedge:
Image:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Other third party applications not listed.
level: medium
imFileEvent
| where TargetFileName endswith ":Zone.Identifier" and (not((TargetFilePath in~ ("C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe", "C:\\Program Files\\PowerShell\\7\\pwsh.exe", "C:\\Windows\\explorer.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "C:\\Windows\\SysWOW64\\explorer.exe", "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe")))) and (not(((TargetFilePath in~ ("C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe")) or (TargetFilePath in~ ("C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", "C:\\Program Files\\Mozilla Firefox\\firefox.exe")) or (TargetFilePath in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe")))))Scenario: A system administrator uses PowerShell to clean up old files and accidentally deletes the Zone.Identifier attribute from a legitimate file during a file cleanup task.
Filter/Exclusion: Exclude events where the process is powershell.exe and the command line includes Remove-Item or Del.
Scenario: A Windows Update or Group Policy deployment modifies or deletes files, including those with Zone.Identifier attributes, during a system configuration update.
Filter/Exclusion: Exclude events where the process is wuauserv.exe or gupdate.exe (Group Policy update service).
Scenario: A scheduled task (e.g., Task Scheduler) runs a script or batch file that deletes files as part of a routine maintenance process, such as log rotation or temporary file cleanup.
Filter/Exclusion: Exclude events where the process is schtasks.exe or where the task name matches a known maintenance task (e.g., LogCleaner or TempFileCleanup).
Scenario: A third-party backup tool (e.g., Veeam, Acronis, or Dell Data Protection) deletes files during a backup or restore operation, which may include files with Zone.Identifier attributes.
Filter/Exclusion: Exclude events where the process is related to the backup tool (e.g., veeam.exe, acronis.exe, or dellbackup.exe).
Scenario: A Windows Defender scan or Windows Security task deletes files with suspicious attributes, including Zone.Identifier, as part of a security policy or malware removal process.
Filter/Exclusion: Exclude events where the process is MsMpEng.exe or Windows Defender related processes.