KQL Search

Query Details

HomeAI ToolsDevice Query

Identifying Domains Added Into Browser Security Zones Via CLI

Query

**Identifying domains added into browser security zones via CLI**

**Description:** The ZoneMap key under Internet Settings is used to define security zones for specific domains. 
By setting a value under ZoneMap\Domains\, you are configuring how Windows handles security and permissions for that domain so it is really helpful to identify if some site has been added via cli manually or by some malicious script to whitelist some domains and bypass some defense.


```
DeviceEvents
| where AdditionalFields contains "ZoneMap"
| extend command = split(AdditionalFields, ' ')
| mv-expand command
| where command contains "ZoneMap"
| extend command = tostring(command)
| extend command = split(command, '\\')
| mv-expand command | extend tostring(command) | where command endswith "'"
| extend CleanedKey = replace(@"'", "", command)
// in case you have trusted domains allowed to be whitelisted, add them in the next line
| where CleanedKey !in ("google.com")
| distinct Timestamp, DeviceName, AdditionalFields, CleanedKey, ReportId
```

Explanation

This query is designed to identify domains that have been added to browser security zones on a device through the command line interface (CLI). Here's a simplified breakdown of what the query does:

  1. Data Source: It starts by looking at the DeviceEvents table, which contains logs of various events on a device.

  2. Filter for ZoneMap: It filters the events to find those that mention "ZoneMap" in the AdditionalFields. The "ZoneMap" key is used in Windows to define security zones for specific domains.

  3. Extract Commands: The query splits the AdditionalFields into individual commands and further processes them to isolate those related to "ZoneMap".

  4. Clean and Extract Domain: It cleans up the extracted commands to isolate the domain names that have been added to the security zones.

  5. Exclude Trusted Domains: It excludes any domains that are known and trusted (e.g., "google.com") from the results. You can add more trusted domains to this exclusion list.

  6. Output: Finally, it provides a distinct list of events with the timestamp, device name, additional fields, the cleaned domain name (CleanedKey), and a report ID.

In summary, this query helps identify potentially unauthorized or malicious additions of domains to browser security zones, which could be used to bypass security measures.

Details

Sergio Albea profile picture

Sergio Albea

Released: February 27, 2025

Tables

DeviceEvents

Keywords

DeviceEventsInternetSettingsSecurityZonesDomainsWindows

Operators

DeviceEventswherecontainsextendsplitmv-expandtostringendswithreplace!indistinct

Actions