Mark-of-the-Web Bypass

Information

• Name: Mark-of-the-Web Bypass

• ID: T1553.005

• Tactics: TA0005

• Technique: T1553

Introduction

Mark-of-the-Web (MOTW) Bypass (sub-technique T1553.005) is part of the MITRE ATT&CK framework, categorized under "Subvert Trust Controls." MOTW is a security feature implemented by Microsoft Windows to flag files downloaded from the internet and prompt users with a security warning before execution. Attackers use various methods to bypass or remove MOTW flags, allowing malicious files to execute without triggering security warnings, thereby increasing the likelihood of successful exploitation and reducing user suspicion.

Deep Dive Into Technique

The Mark-of-the-Web is implemented through NTFS Alternate Data Streams (ADS), specifically using the Zone.Identifier stream, which indicates a file's origin from the internet. When a file is downloaded via a browser, email client, or other internet-aware applications, Windows attaches this metadata to the file. This metadata triggers security features like SmartScreen and Protected View, prompting warnings before file execution.

Attackers employ various methods to bypass or remove the MOTW flags, including but not limited to:

• Alternate Data Stream Removal:

  • Attackers use built-in Windows commands such as powershell.exe or cmd.exe to remove the Zone.Identifier ADS from files.

  • Example command:

    Copy

    powershell -command "Unblock-File -Path malicious.exe"

• Archiving and Extraction Techniques:

  • Compressing malicious files into archives (ZIP, ISO, IMG, VHD) to bypass MOTW tagging during extraction.

  • Files extracted from certain archive formats, such as ISO or VHD, may not inherit the MOTW flag, allowing execution without warnings.

• File Format Abuse:

  • Embedding malicious payloads into file formats that Windows inherently trusts or does not mark with MOTW, such as ISO disk images, VHD files, or virtual disk images, bypassing MOTW entirely upon mounting or execution.

• Container File Execution:

  • Leveraging container files (ISO, IMG, VHD) to deliver malware without MOTW tags, as Windows Explorer and certain third-party extraction tools may not propagate MOTW flags to files extracted or executed from these containers.

• Abusing Trusted Applications:

  • Utilizing trusted applications or scripts (PowerShell, MSHTA, rundll32.exe) to execute MOTW-tagged files without triggering security warnings.

When this Technique is Usually Used

Attackers typically leverage MOTW bypass techniques during the initial access and execution phases of an attack lifecycle. Common scenarios include:

• Phishing Campaigns:

  • Malicious attachments sent via email, where attackers use archives or container file formats to bypass MOTW tagging.

• Drive-by Downloads:

  • Malicious payloads downloaded silently from compromised websites that attempt to bypass MOTW tagging to avoid security prompts.

• Social Engineering Attacks:

  • Users tricked into downloading and executing files that have MOTW flags removed or bypassed, allowing malware execution without visible warnings.

• Supply Chain Attacks:

  • Attackers embedding malicious payloads within trusted software distribution channels, bypassing MOTW flags to evade user suspicion.

• Red Team Engagements:

  • Security professionals simulating adversaries use MOTW bypass techniques to test organizational defenses and user awareness.

How this Technique is Usually Detected

Detection of MOTW bypass techniques relies on monitoring and analyzing system-level events, file attributes, and behaviors. Common detection methods and tools include:

• Endpoint Detection and Response (EDR) Solutions:

  • Monitoring file system activities for removal or modification of Zone.Identifier ADS streams.

  • Detecting suspicious PowerShell or command-line executions that invoke MOTW removal commands (Unblock-File, Remove-Item, ADS modifications).

• Sysmon and Event Logs:

  • Utilizing Sysmon to log file creation, ADS stream modifications, and suspicious process executions.

  • Example Sysmon rule to detect ADS deletion:

    Copy

    <Sysmon schemaversion="4.50">
      <EventFiltering>
        <FileDeleteDetected onmatch="include">
          <TargetFilename condition="contains">:Zone.Identifier</TargetFilename>
        </FileDeleteDetected>
      </EventFiltering>
    </Sysmon>

• Monitoring Archive Extraction Events:

  • Tracking extraction of files from archives (ISO, IMG, VHD) and correlating with subsequent suspicious process executions.

• Behavioral Analytics:

  • Identifying unusual file execution patterns, such as execution of files downloaded from external sources without MOTW flags.

  • Detecting mounting of virtual disks (ISO, VHD) followed by immediate execution of embedded executables.

• Indicators of Compromise (IoCs):

  • Presence of suspicious files without MOTW flags in user download directories.

  • Execution of files from mounted images (ISO, IMG, VHD) or extracted archives without prior MOTW warnings.

  • Unusual usage of PowerShell commands like Unblock-File, ADS removal commands, or deletion of Zone.Identifier streams.

Why it is Important to Detect This Technique

Detecting MOTW bypass techniques is crucial due to the significant security implications, including:

• Increased Malware Execution Risk:

  • Successful MOTW bypass allows malware to execute without security warnings, significantly increasing infection rates.

• Reduced User Awareness:

  • Without MOTW warnings, users are less likely to suspect malicious intent, increasing the likelihood of successful social engineering and phishing attacks.

• Evasion of Security Controls:

  • MOTW bypass techniques allow attackers to evade built-in Windows security features such as SmartScreen, Protected View, and Application Guard.

• Early Stage Attack Detection:

  • Detecting MOTW bypass attempts can help security teams identify and respond to attacks at early stages, preventing further lateral movement and escalation.

• Compliance and Regulatory Risks:

  • Failure to detect and mitigate MOTW bypass techniques can result in regulatory non-compliance, data breaches, and reputational damage.

Examples

Real-world examples of MOTW bypass techniques include:

• Qakbot Malware Campaigns:

  • Attackers distributed Qakbot malware via phishing emails containing ISO or ZIP archives. When users extracted or mounted these files, the malware executed without MOTW warnings, facilitating widespread infections.

• Emotet Malware Distribution:

  • Emotet operators used malicious attachments in ISO and IMG formats, bypassing MOTW tagging and executing payloads without triggering security prompts.

• BazarLoader Phishing Attacks:

  • Attackers leveraged container files (ISO, VHD) hosting malicious executables, bypassing MOTW and resulting in successful ransomware deployments.

• Red Team Tools and Techniques:

  • Offensive security tools such as "Mark-of-the-Web bypass scripts" publicly available on GitHub demonstrate various methods to remove Zone.Identifier streams or execute payloads without MOTW flags.

• Windows Shortcut (LNK) Abuse:

  • Attackers created malicious LNK files within ISO or VHD files, bypassing MOTW tagging upon execution and initiating malware downloads or executions.

These examples highlight the practical exploitation of MOTW bypass methods, underscoring the importance of robust detection and mitigation strategies.