Estimated reading time: 3 minutes
What is Mark of the Web (MotW)?
Technically, MotW is not a file attribute in the traditional sense (like “Read-only”). It is an Alternate Data Stream (ADS) named Zone.Identifier attached to files downloaded via browsers, email clients, or messaging apps.
When a file is downloaded, the application uses the IAttachmentExecute API to write this stream. You can see it yourself via PowerShell:
Get-Content ./payload.exe -Stream Zone.Identifier
The ZoneId Values
The stream typically contains a ZoneId that tells Windows where the file came from:
- 0: Local Computer
- 1: Local Intranet
- 2: Trusted Sites
- 3: Internet (This triggers SmartScreen and Protected View)
- 4: Restricted Sites
Why it matters for Red Teamers
If a file has a ZoneId=3, Windows triggers several defenses:
- SmartScreen: Scans the file hash against Microsoft’s reputation database.
- Microsoft Office Protected View: Disables macros and editing for “unsafe” documents.
- Security Warnings: Displays the “Are you sure you want to run this?” pop-up.
MotW Bypass Techniques
Bypassing MotW usually involves tricking the OS into losing the ADS during the extraction/execution process or using file formats that don’t support or enforce the check.
1. Container Bootstrapping (ISO, VHDX, IMG)
This was the “gold standard” for a long time. When a user downloads an ISO or VHDX, the container itself gets the MotW. However, when the user double-clicks to “mount” it, the files inside the virtual disk often do not inherit the MotW because the virtual file system doesn’t always propagate the ADS.
Note: Microsoft has released patches to improve MotW propagation into ISOs, but effectiveness varies based on the extraction method and OS version.
2. The “Zip-of-Death” (Archive Bypasses)
Some third-party archive tools (like older versions of 7-Zip) did not always propagate the Zone.Identifier stream to extracted files. While Windows Native ZIP extraction does propagate it now, using less common formats like .7z or .rar can sometimes slip through if the victim uses a specific extraction tool that ignores ADS.
3. App-V and Specialized Formats
Files delivered via App-V (Application Virtualization) or packaged as MSIX installers can sometimes bypass traditional MotW checks because they operate within a virtualized container that the shell handles differently than a raw .exe or .js file.
4. Direct Disk Writes
If you can gain execution through a vulnerability (like a browser exploit), writing a file directly to the disk using low-level APIs can bypass the IAttachmentExecute interface entirely, resulting in a “clean” file with no Zone.Identifier stream.
5. Authenticode Signing
While not technically a “bypass” of the mark itself, signing your payload with a valid (or stolen) Extended Validation (EV) Code Signing Certificate effectively nullifies the negative impact of MotW. SmartScreen trusts the reputation of the signer, allowing the file to run without a “Windows Protected Your PC” block.
6. Logic Flaws (e.g., CVE-2022-41091)
Occasionally, researchers find “0-day” bypasses where specifically crafted files (like certain ZIP structures or JavaScript files) cause the MotW parser to fail or return an error, leading the OS to default to “Allow” because it can’t definitively prove the file is from the internet.
Summary Table
| Technique | Mechanism | Status |
| Containers | ISO/VHDX mounting avoids ADS propagation. | Partially Patched |
| Archive Formats | Using .7z or .rar with specific extractors. | Environmental |
| Code Signing | Overriding MotW suspicion with EV reputation. | Highly Effective |
| ADS Stripping | Moving files to non-NTFS volumes (FAT32/exFAT). | Manual/Clunky |