Highway To The Danger Zone.Identifier

Phill Moore recently did a write-up on some pretty cool changes made to the data being recorded within the Zone.Identifier Alternate Data Streams (ADS) for downloaded files.

Have a read here: https://thinkdfir.com/2018/06/17/zone-identifier-kmditemwherefroms/

Now, if you’re not going to read Phill’s blog and just opened this article because of your innate love for Tom Cruise and bad Top Gun puns, shame on you.

Son, before your ego starts writing checks your body can’t cash, let’s at least assume we all agree on the following:

A ZoneIdentifier ADS is an extra piece of information stored with downloaded files. This is done to assist Windows in determining if a file should be trusted or not. For example, an executable file downloaded from the internet will be treated with the necessary suspicion based on the zone it came from (i.e. the Internet).

Phill’s testing has highlighted two additional fields that are being stored within the Zone.Identifier:

  • HostUrl
  • ReferrerUrl

This is a great source of information as it can assist in determining where (URL) a downloaded file originated from.

A bit of Googling revealed the following response to a Bugzilla report by a Windows Defender ATP team member regarding the addition of these fields in Windows 10:

This feature was added in Windows 10 release 1703 (build 15063).
The HostUrl and ReferrerUrl are set by Microsoft Edge and Google 
Chrome.
Edge also sets a HostIpAddress field.

It is used for protection purposes.
Specifically, Microsoft’s Windows Defender Advanced Threat 
Protection exposes this info to the SOC, who can then identify where 
attacks came from, which other downloads might be related, and 
respond/block accordingly.
I don't know which other products/tools use this feature.

Thanks,
Tomer
(from the Windows Defender Advanced Threat Protection team)

I haven’t seen the HostIpAddress field before, so I decided to run similar tests with three browsers, identical to those used by Phill:

    • Firefox 60.0.2 (64-bit)
    • Chrome Version 67.0.3396.87 (Official Build) (64-bit)
    • Microsoft Edge 42.17134.1.0

For my tests, I downloaded the file RegistryExplorer_RECmd.zip with each browser from the following URL:

  • https://ericzimmerman.github.io/Software/RegistryExplorer_RECmd.zip

 

Results:

Firefox behaved as expected with no additional fields added to the Zone.Identifier:

Firefox Zone.Identifier

 

Chrome added the ReferrerUrl and HostUrl as follows:

Chrome Zone.Identifier

 

In my case, Edge also added the ReferrerUrl and HostUrl:

Edge Zone.Identifier

This is interesting as it differs from Phill’s testing. Will compare notes to see if there’s a specific reason for this.

 

Archives, Zone.Identifiers & ReferrerUrls

Now, if you’re one of those analysts who wont be happy unless you’re going Mach 2 with your hair on fire, you’ll like this:

If you use the built in Windows “Extract All” option to extract the downloaded archives, you get a Zone.Identifier for each extracted file:

Zone.Identifiers in Extracted Files

Note: when testing the same by extracting the archive with 7zip, it did not create the Zone.Identifiers for the extracted files.

In addition to the zones, the Zone.Identifier now records the path of the parent archive where the extracted files originated from in the ReferrerUrl field:

Zone.Identifier in Extracted File Showing Parent

Not only are you now able to determine from which URL a downloaded file originated, you may also be able to track an extracted file back to it’s original archive.

 

Copying files to an external hard drive

“But Maverick” you interject, “what happens when the files are copied to an external hard drive?”

“Fear not Goose, the lovely thing about Zone.Identifiers are that they travel oh so well.”

Copying the downloaded zip to an NTFS formatted external hard drive still kept the Zone.Identifier intact:

Zip Zone.Identifier on External HDD

 

The same was found for the Zone.Identifiers for the extracted files:

Zip Zone.Identifier for Extract Files on External HDD

 

Till next time…

Update [2018-06-19]

Welcome to Next Time.

Thanks to Paul Bryant (see comments below the post) we have more ‘clarity’ on when Edge will add a HostIPAddress field to downloaded files.

Saving the Streams.zip with Edge:

The following DOES NOT store a HostIPAddress:
1. Clicking on a file link to directly download the file.
2. Right-Clicking on a file link > Save Target As > And directly click save without changing the path.

The following stores a HostIPAddress:
1. Right-Clicking on a file link > Save Target As > Changing the target directory and saving the file.
2. Right-Clicking on a file link > Save Target As > Changing the target directory to something else, and then changing the target dir back to the original default folder.

Here is a sample of a Zone.Identifier containing a HostIpAddress for a file downloaded with Edge, where the target directory was changed a couple of times and the then changed back to the Downloads dir:

So now, calculate how many users are on Windows 10, uses Edge as their browser, and are “Right-Clicking, Save Target Assing, Change Dirring” when they save data.

That’s how often you’ll see the HostIPAddress field in a Zone.Identifier (that I know of)

Seems to be an Edge case, if you pardon the pun.

7 thoughts on “Highway To The Danger Zone.Identifier

  1. Interestingly, when downloading the streams.zip file using Edge, it included a HostIpAddress. See below:

    [ZoneTransfer]
    HostIpAddress=117.18.232.200
    ZoneId=3
    ReferrerUrl=https://docs.microsoft.com/en-us/sysinternals/downloads/streams
    HostUrl=https://download.sysinternals.com/files/Streams.zip

    1. Just tested downloading the exact file with Edge v42.17134.1.0, but still no HostIpAddress:

      [ZoneTransfer]
      ZoneId=3
      ReferrerUrl=https://docs.microsoft.com/en-us/sysinternals/downloads/streams
      HostUrl=https://download.sysinternals.com/files/Streams.zip

  2. When I downloaded Sysinternals streams file using the Edge Browser, the HostIpAddress field was populated. See below:

    [ZoneTransfer]
    HostIpAddress=117.18.232.200
    ZoneId=3
    ReferrerUrl=https://docs.microsoft.com/en-us/sysinternals/downloads/streams
    HostUrl=https://download.sysinternals.com/files/Streams.zip

    1. Sorry for the double post. Do you think it might be related to the OS version. The Windows 10 version I used was 10.0.17134 Build 17134. I have a Windows 10 Pro and Windows 10 Education version on different worlstations. I will repeat on those and see whether or not the HostIPAddress field is populated. I will give you feedback shortly.

  3. As a follow up, if I save the streams.zip file to the default downloads folder (in my case %USERPROFILE%\Downloads), the streams.zip:Zone.Identifier:$DATA file does not contain the HostIPAddress field. This applies to Windows 10 versions 10.0.17134 Build 17134.

    Nevertheless, in my testing, albeit limited, when I right-click and go save as and save it to a location other than the default download location, eg Desktop or Desktop\Test the streams.zip:Zone.Identifier:$DATA does contain the HostIPAddress field. This behaviour was consistent in testing on Windows 10 Enterprise, (10.0.16299 Build 16299), Windows 10 Pro (10.0.17134 Build 17134) and Windows 10 Home (10.0.17134 Build 17134).

    The streams.zip:Zone.Identifier:$DATA file downloaded to the default Downloads directory in the Windows 10 Enterprise Build 16299 did contain the HostIPAddress field.

    I would be interested to see if you can duplicate these results by saving the streams.zip file to a location other than your default download directory.

Leave a Reply

Your email address will not be published. Required fields are marked *