Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Table Request: zone_identifier (Windows) #585

Open
FritzX6 opened this issue Feb 26, 2020 · 3 comments
Open

Table Request: zone_identifier (Windows) #585

FritzX6 opened this issue Feb 26, 2020 · 3 comments

Comments

@FritzX6
Copy link
Contributor

FritzX6 commented Feb 26, 2020

What is being requested?

A new table called zone_identifier which can be JOINed against the file table to display any corresponding Zone.Identifier data that a file might possess.

This is similar to the extended_attributes table on macOS and Linux, which the file table can be joined against to provide additional metadata about a file, such as its contents and its source of origin.

What is Zone Identifier Information?

image

On Windows, source of origin for any downloaded file is recorded in a separate sidecar metadata file called Zone.Identifier which is a type of Alternate Data Stream (ADS).

Zone Identifier streams can be viewed by inspecting the contents of a given file-path appended with Zone.Identifier

We can recursively search for streams using the SysInternals tool streams.exe

C:\Users\kolide-lenovo\Downloads\Streams>.\streams64.exe -s C:\Users\kolide-lenovo\Downloads\
streams v1.60 - Reveal NTFS alternate streams.
Copyright (C) 2005-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
C:\Users\kolide-lenovo\Downloads\1Password Emergency Kit.pdf:
   :Zone.Identifier:$DATA       145
C:\Users\kolide-lenovo\Downloads\CheckWindowsSecurityCenter.ps1:
   :Zone.Identifier:$DATA       26
C:\Users\kolide-lenovo\Downloads\Firefox Installer (1).exe:
   :Zone.Identifier:$DATA       208
C:\Users\kolide-lenovo\Downloads\wmiexplorer.zip:
   :Zone.Identifier:$DATA       135
C:\Users\kolide-lenovo\Downloads\kolide-launcher(1)(1).msi:
   :Zone.Identifier:$DATA       693

The contents of a Zone.Identifier file look like the following:

[ZoneTransfer]
ZoneId=3
ReferrerUrl=https://www.ks-soft.net/hostmon.eng/downpage.htm
HostUrl=https://www.ks-soft.net/download/wmiexplorer.zip

We can see that this stream is a file containing a section [ZoneTransfer], in which a transfer zone ID (ZoneId) is specified. (These are the security zones that can be found in IE settings.) The transfer zone ID can contain one of the five values from 0 to 4. For more information refer to Microsoft Documentation Portal: Zone Identifiers

  • ZoneId=0: Local machine
  • ZoneId=1: Local intranet
  • ZoneId=2: Trusted sites
  • ZoneId=3: Internet
  • ZoneId=4: Restricted sites

Likewise we can see multiple potential values are stored alongside this ZoneID such as:

  • ReferrerUrl
  • HostUrl
  • HostIpAddress
  • LastWriterPackageFamilyName

What is the utility of this data?

If you were engaged in a forensics or IR scenario wherein you wished to identify the source of a given piece of downloaded malware, the zone.identifier ADS file could potentially store the quarantine information for that download.

Proposed Osquery Implementation

I think this data would be best suited to the EAV format approach with the following output for example:

SELECT * FROM zone_identifiers WHERE path = 'C:\Users\kolide-lenovo\Downloads\wmiexplorer.zip'

+--------------------------------------------------+----------------+-------------+--------------------------------------------------+
| path                                             | key            | subkey      | value                                            |
+--------------------------------------------------+----------------+-------------+--------------------------------------------------+
| C:\Users\kolide-lenovo\Downloads\wmiexplorer.zip | [ZoneTransfer] | ZoneId      | 3                                                |
| C:\Users\kolide-lenovo\Downloads\wmiexplorer.zip | [ZoneTransfer] | ReferrerUrl | https://www.ks-soft.net/hostmon.eng/downpage.htm |
| C:\Users\kolide-lenovo\Downloads\wmiexplorer.zip | [ZoneTransfer] | HostUrl     | https://www.ks-soft.net/download/wmiexplorer.zip |
+--------------------------------------------------+----------------+-------------+--------------------------------------------------+

Additional Reading and Sources

Highway To The Danger Zone.Identifier (June 18, 2018 ~ JACO)

Zone Identifier == kMDItemWhereFroms? (June 17, 2018 ~ Phill Moore)

About URL Security Zones (Microsoft API Documentation)

Alternate Data Streams Documentation (February 14, 2019 ~ Microsoft Open Specifications)
@FritzX6 FritzX6 added the table label Feb 26, 2020
@GerHobbelt GerHobbelt mentioned this issue Feb 27, 2021
Open
@directionless
Copy link
Contributor

This feels like something there should be an API for, and thus that would probably be cleaner in osquery directly

@directionless
Copy link
Contributor

Relates to osquery/osquery#5250

@directionless
Copy link
Contributor

osquery is starting to play with this in osquery/osquery#8190 and I wonder if that's going to meet our needs.

Though I wonder how we'll this EAV data will fit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@directionless @FritzX6