Detection rules › Splunk
Windows Mark Of The Web Bypass
The following analytic identifies a suspicious process that deletes the Mark-of-the-Web (MOTW) data stream. It leverages Sysmon EventCode 23 to detect when a file's Zone.Identifier stream is removed. This activity is significant because it is a common technique used by malware, such as Ave Maria RAT, to bypass security restrictions on files downloaded from the internet. If confirmed malicious, this behavior could allow an attacker to execute potentially harmful files without triggering security warnings, leading to further compromise of the system.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 23 | FileDelete (File Delete archived) |
Stages and Predicates
Stage 1: search
search EventCode=23 TargetFilename="*:Zone.Identifier"
Stage 2: stats
stats BY action, dest, dvc, file_path, file_hash, file_name, file_modify_time, process_exec, process_guid, process_id, process_name, process_path, signature, signature_id, user, user_id, vendor_product
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
TargetFilename | eq |
|