{ "id": "e0a8d896-83db-4c0b-bfd1-3777c68cc931", "created_at": "2026-04-06T00:18:23.291154Z", "updated_at": "2026-04-10T03:36:36.940877Z", "deleted_at": null, "sha1_hash": "ab77c712512ea3387da00e89435f82b08eb4ab89", "title": "Mark-of-the-Web from a Red Team's Perspective | Outflank", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 92852, "plain_text": "Mark-of-the-Web from a Red Team's Perspective | Outflank\r\nBy Stan\r\nPublished: 2020-03-30 · Archived: 2026-04-05 19:40:02 UTC\r\nZone Identifier Alternate Data Stream information, commonly referred to as Mark-of-the-Web (abbreviated\r\nMOTW), can be a significant hurdle for red teamers and penetration testers, especially when attempting to gain an\r\ninitial foothold.\r\nYour payload in the format of an executable, MS Office file or CHM file is likely to receive extra scrutiny from\r\nthe Windows OS and security products when that file is marked as downloaded from the internet. In this blog post\r\nwe will explain how this mechanism works and we will explore offensive techniques that can help evade or get rid\r\nof MOTW.\r\nNote that the techniques described in this blog post are not new. We have witnessed all of them being abused in\r\nthe wild. Hence, this blog post serves to raise awareness on these techniques for both red teamers (for more\r\nrealistic adversary simulations) and blue teamers (for better countermeasures and understanding of attacker\r\ntechniques).\r\nIntroduction to MOTW\r\nMark-of-the-Web (MOTW) is a security feature originally introduced by Internet Explorer to force saved\r\nwebpages to run in the security zone of the location the page was saved from. Back in the days, this was achieved\r\nby adding an HTML comment in the form of \u003c!-–saved from url=\u003e at the beginning of a saved web page.\r\nThis mechanism was later extended to other file types than HTML. This was achieved by creating an alternate\r\ndata stream (ADS) for downloaded files. ADS is an NTFS file system feature that was added as early as Windows\r\n3.1. This feature allows for more than one data stream to be associated with a filename, using the format\r\n“filename:streamname”.\r\nWhen downloading a file, Internet Explorer creates an ADS named Zone.Identifier and adds a ZoneId to this\r\nstream in order to indicate from which zone the file originates. Although it is not an official name, many people\r\nstill refer to this functionality as Mark-of-the-Web.\r\nListing and viewing alternate data streams is trivial using PowerShell: both the Get-Item and Get-Content\r\ncmdlets take a “Stream” parameter, as can be seen in the following screenshot.\r\nhttps://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/\r\nPage 1 of 7\n\nThe following ZoneId values may be used in a Zone.Identifier ADS:\r\n0. Local computer\r\n1. Local intranet\r\n2. Trusted sites\r\n3. Internet\r\n4. Restricted sites\r\nNowadays all major software on the Windows platform that deals with attachments or downloaded files generates\r\na Zone.Identifier ADS, including Internet Explorer, Edge, Outlook, Chrome, FireFox, etc. How do these programs\r\nwrite this ADS? Either by creating the ADS directly or via the system’s implementation of the\r\nIAttachmentExecute interface. The behavior of the latter can be controlled via the SaveZoneInformation property\r\nin the Attachment Manager.\r\nNote that Windows 10’s implementation of the IAttachmentExecute interface will also add URL information to\r\nthe Zone.Identifier ADS:\r\nFor red teamers, it’s probably good to realize that MOTW will also get set when using the HTML smuggling\r\ntechnique (note the “blob” keyword in the screenshot above, which is an indicator of potential HTML smuggling).\r\nThe role of MOTW in security measures\r\nThe information from the Zone Identifier Alternate Data Stream is used by Windows, MS Office and various other\r\nprograms to trigger security features on downloaded files. The following are the most notable ones from a red\r\nteamer’s perspective (but there are more – this list is far from complete).\r\nWindows Defender SmartScreen\r\nThis feature works by checking downloaded executable files (based on Zone Identifier ADS) against a whitelist of\r\nfiles that are well known and downloaded by many Windows users. If the file is not on that list, Windows\r\nhttps://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/\r\nPage 2 of 7\n\nDefender SmartScreen shows the following warning:\r\nMS Office protected view\r\nThe Protected View sandbox attempts to protect MS Office users against potential risks in files originating from\r\nthe internet or other dangerous zones. By default, most MS Office file types flagged with MOTW will be opened\r\nin this sandbox. Many users know this feature as MS Office’s famous yellow bar with the “Enable Editing”\r\nbutton.\r\nMWR (now F-Secure labs) has published a great technical write-up on this sandbox some years ago. Note that\r\nsome MS Office file types cannot be loaded in the Protected View sandbox. SYLK is a famous example of this.\r\nMS Office block macros downloaded from the internet\r\nThis feature was introduced in Office 2016 and later back-ported to Office 2013. If this setting is enabled, macros\r\nin MS Office files flagged with MOTW are disabled and a message is displayed to the user.\r\nThis warning message cannot be ignored by the end user, which makes it a very effective measure against mass-scale macro-based malware.\r\nhttps://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/\r\nPage 3 of 7\n\nVisual Studio project files\r\nOpening untrusted Visual Studio project files can be dangerous (see my presentation at Nullcon Goa 2020 for the\r\nreasons why). By default, Visual Studio will display a warning message for any project file which has the MOTW\r\nattribute set.\r\nApplication Guard for Office\r\nThis newly announced feature runs potentially malicious macros embedded in MS Office files in a small virtual\r\nmachine (based on Application Guard technology) in order to protect the OS.\r\nFrom the limited documentation available, the decision to run a document in a VM is based on MOTW.\r\nUnfortunately, I don’t have access to this technology yet, so I cannot confirm this statement through testing.\r\nStrategies to get rid of MOTW\r\nFrom a red teamer’s perspective, there are two strategies we can employ to evade MOTW. All of the techniques\r\nthat we have witnessed in the wild can be categorized under the following two strategies:\r\n1. Abusing software that does not set MOTW – delivering your payload in a file format which is handled\r\nby software that does not set or propagate Zone Identifier information.\r\n2. Abusing container formats – delivering your payload in a container format which does not support\r\nNTFS’ alternate data stream feature.\r\nOf course there is a third strategy: social engineering the user into removing the MOTW attribute (right click file -\r\n\u003e properties -\u003e unblock). But since this is a technical blog post, this strategy is out of scope for this write-up. And\r\nhttps://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/\r\nPage 4 of 7\n\nfor the blue team: you can technically prevent your end-users from doing this by setting\r\nHideZoneInfoOnProperties via group policy.\r\nLet’s explore the two technical strategies for getting rid of MOTW in more depth…\r\nStrategy 1: abusing software that does not set MOTW\r\nThe first strategy is to deliver your payload via software that does not set (or propagate) the MOTW attribute.\r\nA good example of this is the Git client. The following picture shows that a file cloned from GitHub with the Git\r\nclient does not have a Zone.Identifier ADS.\r\nFor red teamers targeting developers, delivering your payloads via Git might be a good option to evade MOTW.\r\nThis is especially relevant for payloads targeting Visual Studio, but that is material for a future blog post. 🙂\r\nAnother famous example of software that does not set a Zone.Identifier ADS is 7Zip. This archiving client only\r\nsets a MOTW flag when a file is double-clicked from the GUI, which means the file is extracted to the temp\r\ndirectory and opened from there. However, upon manual extraction of files to other locations (i.e. clicking the\r\nextract button instead of double-clicking), 7Zip does not propagate a Zone.Identifier ADS for extracted files. Note\r\nthat this works regardless of the archiving file format: any extension handled by 7zip (7z, zip, rar, etc) will\r\ndemonstrate this behavior.\r\nThis appears to be a conscious design decision by the 7Zip lead developer, as can be seen in the following excerpt\r\nfrom a discussion on SourceForge. More information can be found here.\r\nAs a side note, I wouldn’t recommend using 7Zip for extracting potentially dangerous files anyway, since it is a\r\nproduct known for making “odd” security decisions (such as the lack of ASLR…).\r\nStrategy 2: abusing container formats\r\nhttps://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/\r\nPage 5 of 7\n\nRemember that alternate data streams are an NTFS feature? This means that Zone Identifier ADS cannot be\r\ncreated on other file systems, such as FAT32. From a red teamer’s perspective we can exploit this behavior by\r\nembedding our payload in a file system container such as ISO or VHD(X).\r\nWhen opening such a container with Windows Explorer, MOTW on the outside container will not be propagated\r\nto files inside the container. This is demonstrated in the screenshot below: the downloaded ISO is flagged with\r\nMOTW, but the payload inside the ISO is not.\r\nNote that payload delivery via the ISO format is an evasion technique commonly observed in the wild. For\r\nexample, TA505 is a prominent actor known to abuse this technique.\r\nMessage to the Blue Team\r\nSo, what does all of this mean when you are trying to defend your network?\r\nFirst of all, the fact that a security measure can be circumvented does not render such a measure useless. There\r\nwill be plenty of attackers that do not use the techniques described in this blog post. In particular, I am a big fan of\r\nthe measure to block macros in files downloaded from the internet which is available in MS Office 2013 and\r\nsubsequent versions.\r\nSecond, the techniques described in this blog post acknowledge a very important security paradigm: defense in\r\ndepth. Do not engineer an environment in which your security depends on a single preventive measure (in this\r\nexample MOTW).\r\nhttps://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/\r\nPage 6 of 7\n\nStart thinking about which other measures you can take in case attackers are trying to evade MOTW. For example,\r\nif feasible for your organization, block container formats in your mail filter and proxy. Also, limit the impact of\r\nany malicious files that may have bypassed measures relying on MOTW, for example using Attack Surface\r\nReduction rules.\r\nI think you get the idea: don’t do coconut security – a single hard layer, but all soft when it’s cracked.\r\nIn order to help other red teams easily implement these techniques and more, we’ve developed Outflank Security\r\nTooling (OST), a broad set of evasive tools that allow users to safely and easily perform complex tasks. If you’re\r\ninterested in seeing the diverse offerings in OST, we recommend scheduling an expert led demo.\r\nSource: https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/\r\nhttps://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/" ], "report_names": [ "mark-of-the-web-from-a-red-teams-perspective" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434703, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ab77c712512ea3387da00e89435f82b08eb4ab89.pdf", "text": "https://archive.orkl.eu/ab77c712512ea3387da00e89435f82b08eb4ab89.txt", "img": "https://archive.orkl.eu/ab77c712512ea3387da00e89435f82b08eb4ab89.jpg" } }