Mark-of-the-Web (MotW) Bypass
MITRE ATT&CK™ Subvert Trust Controls: Mark-of-the-Web Bypass - Technique T1553.005
Last updated
Was this helpful?
MITRE ATT&CK™ Subvert Trust Controls: Mark-of-the-Web Bypass - Technique T1553.005
Last updated
Was this helpful?
Windows uses the to indicate that a file originated from the Internet, which gives an opportunity to perform additional inspection of the content. MotW also supplies the basis for prompting a user with an additional prompt when are opened.
MotW is applied to a file by appending a Alternate Data Stream (ADS) to the downloaded file that indicates the URL, and, optionally, the referrer URL from which the file originated. Antivirus (AV) and endpoint detection and response (EDR) products can use this information to supplement their reputation lookups.
However, Alternate Data Stream (ADS) requires an NTFS file system. We may bypass MotW by unsing container file formats that support other file systems outside of NTFS like .iso, .img, .vhd, and .vhdx. Windows can automatically mount these file systems, so all that we need it's the victim to double-click the container file and then double-click the embedded malicious file that won’t have MotW applied.
After getting the putty-64bit.isoon our Windows target, we see that the .msi inside the ISO, is not MOTW-marked.
(Python) can be use to packages payloads into output containers to evade Mark-of-the-Web flag. It supports: ZIP, 7zip, PDF, ISO, IMG, CAB, VHD, VHDX.
