MOTW Defensive and Bypass techniques

Mark of the Web "MOTW" defensive and bypass techniques.

Hello Everyone! While trying to perform Red Team engagement, you will focus on "How to deliver the payload to the victim?" and as you know, you can deliver it using multiple ways, for example:

1. You can send a link to the victim, and once clicking on it, the payload will be downloaded automatically

2. You can send your payload injected into a file like a Word file or Excel sheet and once opened, the payload will be triaged.

We will talk more about the 2nd way, "Injecting the payload into a downloaded file". After downloading the file, it will be tainted with a Mark of the Web "MOTW" and that's what we will talk about in this blog, so let me first describe what's it and then show you how to bypass these restrictions to be able to inject your payload without any detection or any strange behavior.

So, Let's get started 🎉

Content

1. Description

2. The relation between MOTW and Zone.Identifier

3. MOTW Defensive techniques

   • Windows Defender SmartScreen

   • Microsoft Office Protected View

   • Blocked Downloaded Macros

   • Visual Studio project files

4. Bypass Techniques

   • Abusing software.

   • Abusing container formats.

5. References

Description

I think the first question that came to your mind is what's the MOTW? So let me first talk about the concept itself before getting deeper into the defensive ways or how to bypass them.

If you tried to download any file from the website from the internet to any device running Microsoft Windows, there's something will be added to your downloaded file called Mark of the Web "MOTW" whether the website is trusted or not. Consider it as a flag that will be added to your file which will tell some programs like MS Office and MS Windows itself where the user brought this file, whether he downloaded it from the internet or created it locally by himself or something else.

This flag is very important for some specific programs like MS Office, Excel, and for Windows system generally because it will sort the files into multiple groups and will specify the dangerous level for every file based on its group, for example, we have 5 groups

1. Local Computer

2. Local Internet

3. Trusted Sites

4. Internet

5. Restricted Sites

The first group "Local Computer" is a safe place, so if we have a file sorted into this group based on its flag, it will be trusted with the system and its programs that check the group for every file. In contrast, if the same file was sorted into the 4th group "Internet" will not be trusted and once you're trying to open it, may be deleted by the system, or you will get a warning that this file may be harmful or at least will not execute any commands injected into the file without the user permission.

The relation between MOTW and Zone.Identifier

MOTW feature was originally introduced by Internet Explorer to force saved webpages to run in the security zone of the location the page was saved from. Back in the day, this was achieved by adding an HTML comment in the form of <!-–saved from url=> at the beginning of a saved web page.

After some time, they want to apply the same mechanism to other types than HTML web pages only, for example, they want to apply the same technique to the text, word, and excel files. But how do they achieve it?

The answer to this question will describe the relationship between the MOTW and the Zone.Identifier. This was achieved by creating an alternate data stream (ADS) for downloaded files. ADS is an NTFS file system feature that was added as early as Windows 3.1. This feature allows for more than one data stream to be associated with a filename, using the format “filename:streamname”.

When downloading a file, Internet Explorer creates an ADS named Zone.Identifier and adds a ZoneId to this stream in order to indicate from which zone the file originates.

You can check the Zone.Identifier for any file by using the following command

PS C:\Users\eslam3kl\Downloads> gc .\file.txt -Stream Zone.Identifier
[ZoneTransfer]
ZoneId=3

As you can see, the downloaded file is marked with ZoneId=3 that's mean it's not secure for Windows system and its programs like MS Office because it was downloaded from the internet.

Some People define the MOTW as Zone.Identifier and deal with them as the same, but it's not right.

The MOTW is a technique for the web pages, and after improving it to the other file types, we generated the Zone.Identifier which is part of the ADS as described above.

MOTW Defensive techniques

As described before, if the Excel sheet for example was downloaded from the internet, it will be marked with Zone.Id=3 which means it's not safe to be opened directly. So you will get a warning before executing the macros injected into it.

The same if you tried to run the executable file "EXE" marked with Zone.Id=3, the windows will pop up a warning message to take your permission or acceptance first before running it on the system.

To be more clear, let me show you some real examples of custom programs that require some security checks based on the zone ID.

1. Windows Defender SmartScreen

The Windows system has a list with the most downloaded programs from the users, and once you download a program and try to install it on the system, the Windows will check if the program's Zone ID ADS is existing on the file or not, if not, you will get a warning pop-up like this one.

2. Microsoft Office Protected View

If you downloaded MS Office file from the web or email attachments and tried to open it, you will find that MS Office opened it on the Read-Only or Protected view, and will not be able to edit or change anything on the content before enabling editing manually.

3. Blocked Downloaded Macros

If you're trying to inject a shell into a Word file, you will inject it as a VS macro, but if the victim downloads this file from the internet or an external email attachment, will be marked as unsafe and the victim will get a warning message like this one

4. Visual Studio project files

If your victim is a developer, so you will think what if send the payload injected into the VS file itself? Good idea but unfortunately, what happened with Office and Excel will happen also with VS because it will perform the same security checks and will pop up a warning for the victim that the file is harmful and from an untrusted website

Note that any file downloaded from internal mail server will not be marked with MOTW or Zone.Identifier ADS, so if you have an access to one of the users mail outlook for example and want to send a payload to his manager, you have a great chance to skip this protection.

Bypass Techniques

After knowing what's the MOTW and how the system and its programs will stop any harmful action, let me talk about 2 ways of the most important bypass techniques

1. Abusing software that does not set MOTW – delivering your payload in a file format which is handled by software that does not set or propagate Zone Identifier information.

2. Abusing container formats – delivering your payload in a container format which does not support NTFS’ alternate data stream feature.

1. Abusing Software

As described, we will focus on delivering our payload through alternative channels or ways that doesn't use the Zone.Identifier ADS. We will take 2 channels, for example

• Git: If you tried to download a file using Git, it will not be marked with MOTW or Zone.Identifier, so it will be a great way if you're targeting developers or some users who using Visual Studio. You can inject your payload into the VS project and ask them to download it via Git.

• 7Zip: An alternative way is to send your payload compressed and ask the victim to decompress it manually "Click on Extract not double-clicking" using 7Zip software because in this way, it will not mark it with Zone.Identifier. For example, send this sentence within the phishing mail "Be Careful with the attached files, and it's recommended to decompress them manually using 7Zip software to avoid any sensitive data corruption"

2. Abusing Container format

Do you remember what's the Zone.Identifier ADS? It's NTFS file system. Right?

So what will happen if we injected our payload inside another file system like ISO, FAT32 or similar? For sure Zone.Identifier ADS will not affect our file.

If we send the payloaded files into ISO image, after downloading the file, it will be marked with Zone.Identifier ADS from the outside, the downloaded ISO is marked, but the payload inside the ISO is not. You will under covered like this girl, I think it's not a cat as obvious 😂

References

Mark-of-the-Web from a red team’s perspective | Outflank BlogOutflank Blog

Macros from the internet are blocked by default in Office - Deploy Officedocsmsft

Thanks for reading <3 Stay in touch

LinkedIn | GitHub | Twitter