The rule identifies a suspicious process that deletes the Mark of the Web (MOTW) data stream, which is an indicator that files downloaded from the internet are being tampered with to bypass security validation. The detection relies on Sysmon EventCode 23, targeting files with a 'Zone.Identifier' stream, signifying their origin from the web. The deletion of this stream is frequently exploited by malware to execute payloads without triggering security warnings, thus enhancing the attacker’s ability to compromise the system. Notably, the Ave Maria RAT has been associated with such techniques as its modus operandi involves manipulating this MOTW data to execute malicious files stealthily. The implementation requires ingestion of Sysmon logs, specifically from version 6.0.4 or above, to capture the necessary event details accurately.