diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 44028ad9..87308655 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -406,6 +406,7 @@ defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742
defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt
defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
+defense-evasion,T1553.005,Mark-of-the-Web Bypass,3,Remove the Zone.Identifier alternate data stream,64b12afc-18b8-4d3f-9eab-7f6cae7c73f9,powershell
defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 001c9054..2b3b08c0 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -252,6 +252,7 @@ defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742
defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt
defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
+defense-evasion,T1553.005,Mark-of-the-Web Bypass,3,Remove the Zone.Identifier alternate data stream,64b12afc-18b8-4d3f-9eab-7f6cae7c73f9,powershell
defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 0ab7a8b7..aa51a5a9 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -675,6 +675,7 @@
- [T1553.005 Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md)
- Atomic Test #1: Mount ISO image [windows]
- Atomic Test #2: Mount an ISO image and run executable from the ISO [windows]
+ - Atomic Test #3: Remove the Zone.Identifier alternate data stream [windows]
- [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md)
- Atomic Test #1: Creating W32Time similar named service using schtasks [windows]
- Atomic Test #2: Creating W32Time similar named service using sc [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 26e561fb..6d89884e 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -459,6 +459,7 @@
- [T1553.005 Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md)
- Atomic Test #1: Mount ISO image [windows]
- Atomic Test #2: Mount an ISO image and run executable from the ISO [windows]
+ - Atomic Test #3: Remove the Zone.Identifier alternate data stream [windows]
- [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md)
- Atomic Test #1: Creating W32Time similar named service using schtasks [windows]
- Atomic Test #2: Creating W32Time similar named service using sc [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 37676f1b..e934a554 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -29002,6 +29002,40 @@ defense-evasion:
Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null
Stop-process -name "hello" -Force -ErrorAction ignore
name: powershell
+ - name: Remove the Zone.Identifier alternate data stream
+ auto_generated_guid: 64b12afc-18b8-4d3f-9eab-7f6cae7c73f9
+ description: |
+ Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.
+ Removing this allows more freedom in executing scripts in PowerShell and avoids opening files in protected view.
+ supported_platforms:
+ - windows
+ input_arguments:
+ file_to_download:
+ description: File that will be downloaded to test against.
+ type: url
+ default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/README.md
+ file_path:
+ description: File to have the Zone.Identifier removed.
+ type: String
+ default: "$env:tmp\\ReadMe.md"
+ dependency_executor_name: powershell
+ dependencies:
+ - description: A test file with the Zone.Identifier attribute must be present.
+ prereq_command: 'if (Test-Path #{file_path}) { EXIT 0 } else { EXIT 1 }
+
+'
+ get_prereq_command: |
+ Invoke-WebRequest #{file_to_download} -OutFile #{file_path}
+ Set-Content -Path #{file_path} -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3'
+ executor:
+ command: 'Unblock-File -Path #{file_path}
+
+'
+ cleanup_command: 'Set-Content -Path #{file_path} -Stream Zone.Identifier -Value
+ ''[ZoneTransfer]'',''ZoneId=3''
+
+'
+ name: powershell
T1036.004:
technique:
external_references:
diff --git a/atomics/T1553.005/T1553.005.md b/atomics/T1553.005/T1553.005.md
index 805a501a..402a42ae 100644
--- a/atomics/T1553.005/T1553.005.md
+++ b/atomics/T1553.005/T1553.005.md
@@ -10,6 +10,8 @@ Adversaries may abuse container files such as compressed/archive (.arj, .gzip) a
- [Atomic Test #2 - Mount an ISO image and run executable from the ISO](#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso)
+- [Atomic Test #3 - Remove the Zone.Identifier alternate data stream](#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream)
+
@@ -115,4 +117,56 @@ Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/
+
+
+
+## Atomic Test #3 - Remove the Zone.Identifier alternate data stream
+Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.
+Removing this allows more freedom in executing scripts in PowerShell and avoids opening files in protected view.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 64b12afc-18b8-4d3f-9eab-7f6cae7c73f9
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| file_to_download | File that will be downloaded to test against. | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/README.md|
+| file_path | File to have the Zone.Identifier removed. | String | $env:tmp\ReadMe.md|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Unblock-File -Path #{file_path}
+```
+
+#### Cleanup Commands:
+```powershell
+Set-Content -Path #{file_path} -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3'
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: A test file with the Zone.Identifier attribute must be present.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{file_path}) { EXIT 0 } else { EXIT 1 }
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest #{file_to_download} -OutFile #{file_path}
+Set-Content -Path #{file_path} -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3'
+```
+
+
+
+