-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Table Request: zone_identifier (Windows) #585
Comments
This feels like something there should be an API for, and thus that would probably be cleaner in osquery directly |
Relates to osquery/osquery#5250 |
osquery is starting to play with this in osquery/osquery#8190 and I wonder if that's going to meet our needs. Though I wonder how we'll this EAV data will fit. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What is being requested?
A new table called
zone_identifier
which can beJOIN
ed against thefile
table to display any corresponding Zone.Identifier data that a file might possess.This is similar to the
extended_attributes
table on macOS and Linux, which the file table can be joined against to provide additional metadata about a file, such as its contents and its source of origin.What is Zone Identifier Information?
On Windows, source of origin for any downloaded file is recorded in a separate sidecar metadata file called
Zone.Identifier
which is a type of Alternate Data Stream (ADS).Zone Identifier streams can be viewed by inspecting the contents of a given file-path appended with
Zone.Identifier
We can recursively search for streams using the SysInternals tool
streams.exe
The contents of a Zone.Identifier file look like the following:
We can see that this stream is a file containing a section [ZoneTransfer], in which a transfer zone ID (ZoneId) is specified. (These are the security zones that can be found in IE settings.) The transfer zone ID can contain one of the five values from 0 to 4. For more information refer to Microsoft Documentation Portal: Zone Identifiers
Likewise we can see multiple potential values are stored alongside this
ZoneID
such as:ReferrerUrl
HostUrl
HostIpAddress
LastWriterPackageFamilyName
What is the utility of this data?
If you were engaged in a forensics or IR scenario wherein you wished to identify the source of a given piece of downloaded malware, the zone.identifier ADS file could potentially store the quarantine information for that download.
Proposed Osquery Implementation
I think this data would be best suited to the EAV format approach with the following output for example:
Additional Reading and Sources
Highway To The Danger Zone.Identifier (June 18, 2018 ~ JACO)
Zone Identifier == kMDItemWhereFroms? (June 17, 2018 ~ Phill Moore)
About URL Security Zones (Microsoft API Documentation)
Alternate Data Streams Documentation (February 14, 2019 ~ Microsoft Open Specifications)
The text was updated successfully, but these errors were encountered: