Suspicious ZoneIdentifier detected

Author: LasCC

s1_powerquery_hunting.json

@@ -409,5 +409,10 @@
         "category" : "Malware & Threats",
         "name" : ".NET ClickOnce installation",
         "query" : "src.process.name = \"rundll32.exe\" #cmdline contains:anycase \"ShOpenVerbApplication\" #cmdline contains:anycase (\"http\",\".application\")\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, tgt.process.cmdline, event.dns.request\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, tgt.process.cmdline, event.dns.request, Count\n| sort -Count\n| limit 100000\n"
+    },
+    {
+        "category" : "Malware & Threats",
+        "name" : "Suspicious ZoneIdentifier detected",
+        "query" : "indicator.name contains:anycase \"WriteToADS\" AND indicator.metadata contains:anycase \"Zone.Identifier\" AND ((indicator.metadata contains:anycase 'C:\\\\Perflogs\\\\' OR indicator.metadata contains:anycase '\\\\$Recycle.bin\\\\' OR indicator.metadata contains:anycase '\\\\config\\\\systemprofile\\\\' OR indicator.metadata contains:anycase '\\\\Intel\\\\Logs\\\\' OR indicator.metadata contains:anycase '\\\\RSA\\\\MachineKeys\\\\' OR indicator.metadata contains:anycase '\\\\Users\\\\All Users\\\\' OR indicator.metadata contains:anycase '\\\\Users\\\\Default\\\\' OR indicator.metadata contains:anycase '\\\\Users\\\\NetworkService\\\\' OR indicator.metadata contains:anycase '\\\\Users\\\\Public\\\\' OR indicator.metadata contains:anycase '\\\\Windows\\\\addins\\\\' OR indicator.metadata contains:anycase '\\\\Windows\\\\debug\\\\' OR indicator.metadata contains:anycase '\\\\Windows\\\\Fonts\\\\' OR indicator.metadata contains:anycase '\\\\Windows\\\\Help\\\\' OR indicator.metadata contains:anycase '\\\\Windows\\\\IME\\\\' OR indicator.metadata contains:anycase '\\\\Windows\\\\Media\\\\' OR indicator.metadata contains:anycase '\\\\Windows\\\\repair\\\\' OR indicator.metadata contains:anycase '\\\\Windows\\\\security\\\\' OR indicator.metadata contains:anycase '\\\\Windows\\\\System32\\\\Tasks\\\\' OR indicator.metadata contains:anycase '\\\\Windows\\\\Tasks\\\\') AND NOT (indicator.metadata contains:anycase 'firefox' OR indicator.metadata contains:anycase 'citrix' OR indicator.metadata contains:anycase 'splunkd.exe' OR indicator.metadata contains:anycase 'ldapadmin.exe' OR indicator.metadata contains:anycase 'acslaunch_win' OR indicator.metadata contains:anycase 'gotoassist' OR src.process.user contains:anycase (\"system\",\"syst\u00e8me\")))\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by indicator.name, indicator.description, indicator.metadata \n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, indicator.name, indicator.description, indicator.metadata, Count\n| sort -Count\n| limit 100000"
     }
 ]