This rule aims to detect the deletion of the "Zone.Identifier" Alternate Data Stream (ADS) by processes that are deemed uncommon in a Windows environment. The "Zone.Identifier" ADS is often used by Windows to manage file security attributes, particularly those received from the internet or external locations. Attackers may exploit this feature to undermine security protocols implemented by software such as Microsoft Office. By deleting this ADS, malicious applications can bypass mechanisms that would normally warn users about potentially harmful files. This detection rule defines a set of conditions that must be met to flag an incident, including the deletion of the specified file name by an uncommon process that is not included in an established safe list of applications. Potential legitimate applications that are excluded from triggering this rule include various versions of PowerShell and popular web browsers like Chrome and Firefox. The rule is essential for monitoring potential circumvention tactics by attackers that manipulate file attributes to evade security measures.