Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: Zone.Identifier: A Couple Of Observations SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Zone.Identifier: A Couple Of Observations

In diary entry "Sysmon and Alternate Data Streams", we reported that Sysmon records the content of small Alternate Data Streams (containing text) in the event log.

This is useful for the Zone.Identifier ADS, a stream that is added by many browsers to mark a file as orginating from the Internet.

Modern browsers will include extra information in Zone.Identifier, like the URL:

Marc Russinovich explained that this new feature in Sysmon is useful for forensics for example, to figure out from where a particular file was downloaded.

I did the download above using Chrome, with a normal window.

When I use an incognito window, the URL is not recorded:

Marc also explained that this extra info in the Zone.Identifier stream was generated by functions in the urlmon DLL.

That gave me the idea to test this out in VBA (UrlDownloadToFile is a function exported by the urlmon DLL that is often used by malware authors):

Unfortunately, no Zone.Identifier stream is created in this case:

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

479 Posts
ISC Handler
Jul 20th 2020

Sign Up for Free or Log In to start participating in the conversation!