Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Zone.Identifier: A Couple Of Observations

Published: 2020-07-18
Last Updated: 2020-07-20 08:23:08 UTC
by Didier Stevens (Version: 1)
0 comment(s)

In diary entry "Sysmon and Alternate Data Streams", we reported that Sysmon records the content of small Alternate Data Streams (containing text) in the event log.

This is useful for the Zone.Identifier ADS, a stream that is added by many browsers to mark a file as orginating from the Internet.

Modern browsers will include extra information in Zone.Identifier, like the URL:

Marc Russinovich explained that this new feature in Sysmon is useful for forensics for example, to figure out from where a particular file was downloaded.

I did the download above using Chrome, with a normal window.

When I use an incognito window, the URL is not recorded:

Marc also explained that this extra info in the Zone.Identifier stream was generated by functions in the urlmon DLL.

That gave me the idea to test this out in VBA (UrlDownloadToFile is a function exported by the urlmon DLL that is often used by malware authors):

Unfortunately, no Zone.Identifier stream is created in this case:

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords:
0 comment(s)
Diary Archives