Mark-of-the-Web (MotW) Bypass

Theory

Windows uses the Mark-of-the-Web (MotW) to indicate that a file originated from the Internet, which gives Microsoft Defender SmartScreen an opportunity to perform additional inspection of the content. MotW also supplies the basis for prompting a user with an additional prompt when high-risk extensions are opened.

MotW is applied to a file by appending a Zone.Identifier Alternate Data Stream (ADS) to the downloaded file that indicates the URL, and, optionally, the referrer URL from which the file originated. Antivirus (AV) and endpoint detection and response (EDR) products can use this information to supplement their reputation lookups.

However, Alternate Data Stream (ADS) requires an NTFS file system. We may bypass MotW by unsing container file formats that support other file systems outside of NTFS like .iso, .img, .vhd, and .vhdx. Windows can automatically mount these file systems, so all that we need it's the victim to double-click the container file and then double-click the embedded malicious file that won’t have MotW applied.

Practice

PackMyPayload.py

PackMyPayload (Python) can be use to packages payloads into output containers to evade Mark-of-the-Web flag. It supports: ZIP, 7zip, PDF, ISO, IMG, CAB, VHD, VHDX.

After getting the putty-64bit.isoon our Windows target, we see that the .msi inside the ISO, is not MOTW-marked.

We can however notice that the ISO file itself will be MOTW-Marked.

Resources

Mark of the Web Bypass - Red Canary Threat Detection ReportRed Canary

Subvert Trust Controls: Mark-of-the-Web Bypass, Sub-technique T1553.005 - Enterprise | MITRE ATT&CK®attack.mitre.org