T1553.005: Mark-of-the-Web Bypass

View on MITRE ATT&CK	T1553.005
Tactic(s)	Defense Evasion

Data from MITRE ATT&CK®:

Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file is not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020)

Adversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)

Cyber Threat Graph Context

Explore how this ATT&CK Technique relates to the wider threat graph

Mitigations for this technique

MITRE ATT&CK Mitigations

Disable or Remove Feature or Program

Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

Execution Prevention

Block execution of code on a system through application control, and/or script blocking.

How to detect this technique

MITRE ATT&CK Data Components

File Metadata (File)

Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.

File Creation (File)

Initial construction of a new file (ex: Sysmon EID 11)

Control Validation Tests for this Technique

Use Atomic Red Team tests to test your defenses against this technique.

Sigma Detections for this Technique

Suspicious Unblock-File

windows ps script

Suspicious Mount-DiskImage

windows ps script

Suspicious Invoke-Item From Mount-DiskImage

windows ps script

SP800-53 Controls

See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.

Node
SI-7: Software, Firmware, and Information Integrity
SI-4: System Monitoring
CM-7: Least Functionality
CM-6: Configuration Settings
SI-10: Information Input Validation
CM-2: Baseline Configuration

T1553.005: Mark-of-the-Web Bypass

Cyber Threat Graph Context

Mitigations for this technique

Disable or Remove Feature or Program

Execution Prevention

How to detect this technique

File Metadata (File)

File Creation (File)

Control Validation Tests for this Technique

Remove the Zone.Identifier alternate data stream

Mount an ISO image and run executable from the ISO

Mount ISO image

Execute LNK file from ISO

Sigma Detections for this Technique

Suspicious Unblock-File

Suspicious Mount-DiskImage

Suspicious Invoke-Item From Mount-DiskImage

SP800-53 Controls