Identifying Domains Added Into Browser Security Zones Via CLI
Query
DeviceEvents
| where AdditionalFields contains "ZoneMap"
| extend command = split(AdditionalFields, ' ')
| mv-expand command
| where command contains "ZoneMap"
| extend command = tostring(command)
| extend command = split(command, '\\')
| mv-expand command | extend tostring(command) | where command endswith "'"
| extend CleanedKey = replace(@"'", "", command)
// in case you have trusted domains allowed to be whitelisted, add them in the next line
| where CleanedKey !in ("google.com")
| distinct Timestamp, DeviceName, AdditionalFields, CleanedKey, ReportIdAbout this query
Identifying domains added into browser security zones via CLI
Description: The ZoneMap key under Internet Settings is used to define security zones for specific domains. By setting a value under ZoneMap\Domains, you are configuring how Windows handles security and permissions for that domain so it is really helpful to identify if some site has been added via cli manually or by some malicious script to whitelist some domains and bypass some defense.
Explanation
This query is designed to identify domains that have been added to browser security zones on a device through the command line interface (CLI). Here's a simplified breakdown of what the query does:
-
Data Source: It starts by looking at the
DeviceEventstable, which contains logs of various events on a device. -
Filter for ZoneMap: It filters the events to find those that mention "ZoneMap" in the
AdditionalFields. The "ZoneMap" key is used in Windows to define security zones for specific domains. -
Extract Commands: The query splits the
AdditionalFieldsinto individual commands and further processes them to isolate those related to "ZoneMap". -
Clean and Extract Domain: It cleans up the extracted commands to isolate the domain names that have been added to the security zones.
-
Exclude Trusted Domains: It excludes any domains that are known and trusted (e.g., "google.com") from the results. You can add more trusted domains to this exclusion list.
-
Output: Finally, it provides a distinct list of events with the timestamp, device name, additional fields, the cleaned domain name (CleanedKey), and a report ID.
In summary, this query helps identify potentially unauthorized or malicious additions of domains to browser security zones, which could be used to bypass security measures.
Details

Sergio Albea
Released: February 27, 2025
Tables
Keywords
Operators