Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named <code>Zone.Identifier</code> with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file is not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020)
Adversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1553.005 | Mark-of-the-Web Bypass | |
| SI-10 | Information Input Validation | mitigates | T1553.005 | Mark-of-the-Web Bypass | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1553.005 | Mark-of-the-Web Bypass | |
| CM-02 | Baseline Configuration | mitigates | T1553.005 | Mark-of-the-Web Bypass | |
| CM-07 | Least Functionality | mitigates | T1553.005 | Mark-of-the-Web Bypass | |
| SI-04 | System Monitoring | mitigates | T1553.005 | Mark-of-the-Web Bypass |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CVE-2025-0411 | 7-Zip Mark of the Web Bypass Vulnerability | exploitation_technique | T1553.005 | Mark-of-the-Web Bypass |
Comments
Attackers can double-archive malicious payloads with 7-Zip to bypass Windows's Mark-of-the-Web security feature, further allowing the bypassing of Microsoft Defender SmartScreen. This allows attackers to disseminate these payloads via methods like email attachments, which would normally be subject to additional scrutiny by the service's protective measures. This flaw was patched in 7-Zip version 24.09.
References
|
| CVE-2023-36884 | Microsoft Windows Search Remote Code Execution Vulnerability | secondary_impact | T1553.005 | Mark-of-the-Web Bypass |
Comments
This remote code execution vulnerability in Microsoft Office has been exploited by adversarial groups to distribute ransomware. Attackers use specially crafted Microsoft Office documents to bypass security features, enabling remote code execution without user prompts. These documents are typically delivered through phishing techniques, enticing victims to open them. Once opened, the ransomware encrypts files and demands a ransom for decryption, while also removing system backups and leaving a ransom note threatening data loss if recovery is attempted without the provided decryptor key.
The ransomware further erases system logs and may publish stolen data on leak websites, leading to unauthorized access to sensitive information and potential installation of backdoors for further exploitation. Microsoft addressed this vulnerability in their security updates by introducing measures to make file paths unpredictable, thereby mitigating the exploit chain. Despite these updates, additional vulnerabilities in Microsoft Office and Windows were identified. Security solutions offer protection against these exploits, and findings are shared with cybersecurity alliances to enhance collective defense efforts.
This vulnerability has been exploited by the Russian group Storm-0978, also known as RomCom, who craft specially designed Microsoft Office documents related to the Ukrainian World Congress. These documents bypass Microsoft's Mark-of-the-Web (MotW) security feature, enabling remote code execution without security prompts. The adversary used phishing techniques to deliver these documents, enticing victims to open them. Once opened, the ransomware, known as Underground, executes, encrypting files and demanding a ransom for decryption.
The ransomware further removes shadow copies, terminates MS SQL Server services, and leaves a ransom note threatening data loss if recovery is attempted without their decryptor key. It also erases Windows Event logs and publishes stolen victim data on a data leak website, causing unauthorized access to sensitive information and potential installation of backdoors for further exploitation.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Disable controls | Disable or interfere with security controls | related-to | T1553.005 | Mark-of-the-Web Bypass |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DEF-AACI-E3 | Adaptive Application Control Integration | Technique Scores | T1553.005 | Mark-of-the-Web Bypass |
Comments
Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Events are calculated once every twelve hours, so its temporal score is Partial.
References
|