SHA-256 Custom Indicator Triggering on Zone.Identifier Stream Data

Copper Contributor

Hello,

 

We are running Defender in a GCC High environment and recently ran into an issue where a new custom SHA-256 hash indicator was triggering/alerting for hundreds of UNIQUE files. Searching for the SHA-256 value in "Advanced Hunting" returns thousands of unique files (different file names/types) but shows the same file size for all of them (which is not accurate). We discovered that the hash value is actually pointing to the Zone.Identifier stream data on these files.

 

Any idea what would cause the Zone.Identifier data to be hashed while the content of the associated file is ignored?

 

Thank you.

Lucas

3 Replies
It makes sense that Defender would hash data streams, since a data stream is really just a file attached to the same pointer as the main file. Some malware authors will attempt evasion detection by hiding payloads in ADS. I would guess that the hash in your intel is matching the ADS on all those files.
I agree the hash was matching the ADS on all those files. The problem I still have is the lack of visibility/differentiation between the ADS hash and the "regular" file hash. For instance, If I search for the name of a file on the Microsoft Defender cloud portal (security.microsoft.us), it returns a list of files with the correct filename but no mention of it being the ADS file. Not until you dig deeper in "Advanced Hunting" and include a field called "AdditionalFields" do you see an entry with {"FileStreamName":"Zone.Identifier","FileType":"Unknown"}. This makes it more difficult to find the correct file hashes or accurately identify the number of targeted files in the environment.
That sounds annoying. I guess their logic is, if the stream is known bad then the whole file must be considered so as well. It should be more obvious for response handlers as you say. I don't think we've ever had an alternate stream trigger like this, now I am tempted to try it out.