EXPLORE
Sign In
← Back to Explore
T1553.005

Mark-of-the-Web Bypass

Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named <code>Zone.Identifier</code> with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Pro...

Windows
11
Detections
2
Sources
3
Threat Actors

BY SOURCE

6sigma5splunk_escu

PROCEDURES (8)

Container2 detections

Auto-extracted: 2 detections for container

Privilege2 detections

Auto-extracted: 2 detections for privilege

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Bypass1 detections

Auto-extracted: 1 detections for bypass

Download1 detections

Auto-extracted: 1 detections for download

Event Log1 detections

Auto-extracted: 1 detections for event log

Download1 detections

Auto-extracted: 1 detections for download

Persist1 detections

Auto-extracted: 1 detections for persist

THREAT ACTORS (3)

APT29APT38TA505

DETECTIONS (11)

Suspicious Invoke-Item From Mount-DiskImage
sigmamedium
Suspicious Mount-DiskImage
sigmalow
Suspicious Unblock-File
sigmamedium
Windows Advanced Installer MSIX with AI_STUBS Execution
splunk_escu
Windows AppX Deployment Full Trust Package Installation
splunk_escu
Windows AppX Deployment Full Trust Package Installation
sigmamedium
Windows AppX Deployment Unsigned Package Installation
splunk_escu
Windows AppX Deployment Unsigned Package Installation
sigmamedium
Windows Developer-Signed MSIX Package Installation
splunk_escu
Windows Mark Of The Web Bypass
splunk_escu
Windows MSIX Package Support Framework AI_STUBS Execution
sigmalow