Forum Discussion
SHA-256 Custom Indicator Triggering on Zone.Identifier Stream Data
Hello, We are running Defender in a GCC High environment and recently ran into an issue where a new custom SHA-256 hash indicator was triggering/alerting for hundreds of UNIQUE files. Searching f...
It makes sense that Defender would hash data streams, since a data stream is really just a file attached to the same pointer as the main file. Some malware authors will attempt evasion detection by hiding payloads in ADS. I would guess that the hash in your intel is matching the ADS on all those files.
I agree the hash was matching the ADS on all those files. The problem I still have is the lack of visibility/differentiation between the ADS hash and the "regular" file hash. For instance, If I search for the name of a file on the Microsoft Defender cloud portal (security.microsoft.us), it returns a list of files with the correct filename but no mention of it being the ADS file. Not until you dig deeper in "Advanced Hunting" and include a field called "AdditionalFields" do you see an entry with {"FileStreamName":"Zone.Identifier","FileType":"Unknown"}. This makes it more difficult to find the correct file hashes or accurately identify the number of targeted files in the environment.
- That sounds annoying. I guess their logic is, if the stream is known bad then the whole file must be considered so as well. It should be more obvious for response handlers as you say. I don't think we've ever had an alternate stream trigger like this, now I am tempted to try it out.