bypass Mark of the Web

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: bypass Mark of the Web
    namespace: host-interaction/file-system
    authors:
      - william.ballenthin@mandiant.com
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Defense Evasion::Subvert Trust Controls::Mark-of-the-Web Bypass [T1553.005]
    examples:
      - 48c7ad2d9d482cb11898f2719638ceed:0x405B10
  features:
    - and:
      - api: DeleteFile
      - or:
        - string: ":Zone.Identifier"
          description: NTFS ADS name recognized by Windows Defender SmartScreen
        - string: "%s:Zone.Identifier"
          description: NTFS ADS name recognized by Windows Defender SmartScreen

last edited: 2023-11-24 10:34:28