Look at the Mark-of-the-Web (MOTW) security feature of Windows from the perspective of an infiltrator

Look at the Mark-of-the-Web (MOTW) security feature of Windows from the perspective of an infiltrator

MOTW is the English abbreviation of The Mark of the Web. MOTW is a mechanism by which Windows Internet Explorer forces IE browsers to browse stored webpages in a safe location for the purpose of enhancing security. MOTW is a comment added to the HTML web page as a tag. When the user opens an HTML document stored locally, the IE browser reads this comment to determine whether it is in a safe area. Here is an example of a valid MOTW:

< !-- saved from url=(0023)http://www.sagerking.com/ -- >

Among them, the value (0025) is the length of the string behind him, and sagerking is the name of the Internet Web site. When the browser opens the saved html, IE will look for the "Save from URL" comment and use the area suitable for the URL to Determine which security policy should be applied to the Web page.

Compared with Microsoft Internet Explorer 6, MOTW is more powerful. When you are doing website development, MOTW allows you to test your HTML documents in a safe area, which is specified by you. For example, if you want to call the flash script Action Script in a web page, if it is not in a secure area, then these scripts will be disabled and the program cannot be opened normally. You need to add a secure area.

However, for penetration testers, MOTW can be a major test barrier, especially when trying to gain an initial attack foothold.

When the file is marked as downloaded from the Internet, your payload may be in the format of an executable file, MS Office file, or CHM file, so these files may be subject to additional scrutiny by the Windows operating system and security products. In this article, we will explain how this mechanism works and explore attack techniques that can help evade or bypass MOTW.

Please note that the technologies described in this article are not new technologies. These technologies have been used by attackers in the wild. Therefore, this article aims to raise awareness of these technologies.

In the past, MOTW was done by adding <!-–saved from url=> at the beginning of the saved web page.

This mechanism was later extended by security personnel to file types other than HTML. Qi Hot achieved this by creating an alternate data stream (ADS) for downloaded files. ADS is an NTFS file system function, which has been added as early as Windows 3.1. This function allows multiple data streams to be associated with a file name in the format of "filename:streamname".

When downloading a file, Internet Explorer creates an ADS named Zone.Identifier and adds a ZoneId to the stream to indicate which zone the file originated from. Although it is not an official name, many people still refer to this feature as a web tag.

Using PowerShell to list and view alternate data streams is simple : Both Get-Item and Get-Content cmdlets carry a "Stream" parameter, as shown in the screenshot below:

View Image

The following ZoneId values ​​can be used in Zone.Identifier ADS:

·  0. Local computer

·  1. Local Intranet

·  2. Trusted sites

·  3. Internet

·  4. Restricted locations

Nowadays, all major software used to process attachments or download files on the Windows platform will generate Zone.Identifier ADS, including Internet Explorer, Edge, Outlook, Chrome, FireFox, etc. How did these programs write this ADS? Realized by directly creating ADS or through the system's IAttachmentExecute interface. The behavior implemented through the system's IAttachmentExecute interface can be controlled by the SaveZoneInformation property in the attachment manager.

Please note that the implementation of the IAttachmentExecute interface of Windows 10 will also add URL information to the Zone.Identifier ADS:

View Image

For penetration testers, be aware that MOTW is also set when using HTML smuggling technology (please note the "blob" keyword in the screenshot above, which is an indicator of potential HTML smuggling).

The safety role of MOTW

Windows, MS Office, and various other programs use information from the area identifier alternate data stream to trigger security features on downloaded files. From the perspective of a penetration tester, the following are the most notable (note that this list is still far It is far from complete, I only listed some of them).

Windows Defender SmartScreen

In the Windows 10 operating system, when installing a program, Windows Defender SmartScreen pops up a warning window. The warning content is: Windows Defender SmartScreen has prevented the launch of an unrecognized application. Running this application may cause security risks to your computer.

In addition, this feature works by checking the downloaded executable file (based on the area identifier ADS) against a whitelist of files that are well known and downloaded by many Windows users. If the file is not in the list, Windows Defender SmartScreen will display the following warning :

View Image

MS Office protected view

The protected view sandbox attempts to protect MS Office users from potential risks in files from the Internet or other dangerous areas. By default, most MS Office file types marked with MOTW will be opened in this sandbox. Many users know this feature is MS Office's famous yellow bar with "Enable Editing" button.

View Image

A few years ago, MWR (now F-Secure labs) published a technical article about this sandbox . Note that some MS Office file types cannot be loaded in the protected view sandbox. The SYLK file format is a well-known example.

What is the SYLK file format?

The SYLK file format is a file format developed in the 1980s, and the latest MS Office version still supports this format. It turns out that this file format is a good choice for creating weaponized documents, and attackers can use these files to establish an initial foothold. Generally, SYLK files have the file extension .slk. SYLK is a file format that uses only displayable ANSI characters. It was created to exchange data between applications (such as spreadsheets and databases).

Nowadays, this file format is hardly used, and related documentation is lacking. Wikipedia has limited detailed information about SYLK. Probably the best available document is the file sylksum.doc, which was created by Microsoft and last updated in 1986.

Despite being an ancient file format, by default, the file extension .slk is still mapped to Excel on the latest MS Office version (confirmed on 2010, 2013 and 2016). It turns out that the function of SYLK goes beyond DDE attacks. In particular, malicious macros can also be embedded in this file type.

An important reason why the SYLK format attracts attackers is that the Protected View sandbox is not suitable for this file format. This means that if the weaponized SYLK file is distributed via e-mail or the Web, and the "Network Mark" logo is applied, the target user will not be bothered by this warning message.

MS Office block macros downloaded from the Internet

This feature was introduced in Office 2016 and later ported to Office 2013. If this setting is enabled, macros in MS Office files marked with MOTW will be disabled and a warning message will be displayed to the user.

View Image

Users will definitely notice this warning message, which makes it a very effective measure against large-scale macro-based malware.

Visual Studio project file

Opening untrusted Visual Studio project files can be dangerous. For the reasons, please refer to a lecture by a researcher at Nullcon Goa 2020 . By default , Visual Studio will display a warning message for any project file that has the MOTW attribute set.

View Image

Windows Defender Application Guard for Office

For those users of Google Chrome and Mozilla Firefox who pay attention to security, in 2019, Microsoft released a new browser extension-Windows Defender Application Guard. WDAG, which is suitable for two popular browsers, provides the same hardware isolation technology as Microsoft Edge, and automatically redirects users to an isolated Edge session when they visit untrusted websites. After the extension is installed, the user can open Windows Defender Application Guard by clicking the extension icon on the browser. In an isolated browser session, users can freely navigate to any site that has not been clearly defined as an enterprise trust, and access in this mode will not have any impact on the rest of the system. In conjunction with our upcoming dynamic switching function, if a user tries to access a trusted corporate website in an isolated session, the user will be switched back to the default browser.

In addition, Windows Defender Application Guard can run potentially malicious macros embedded in MS Office files in small virtual machines (based on Application Guard technology) to protect the operating system.


Based on the limited documentation available, the decision to run the documentation in the VM is based on MOTW. Unfortunately, I have not used this technology, so I cannot confirm its actual effectiveness through testing.

Strategies to bypass MOTW

From the perspective of penetrator testing, we can use two strategies to bypass MOTW. Currently, all the technologies we have observed in the wild can be classified into the following two categories:

1. Misuse of software without MOTW: Disseminate payload in a file format processed by software that does not set or disseminate area identifier information.

2. Abuse of the container format: spread the payload in a container format that does not support the NTFS alternate data stream function.

Of course, there is a third strategy: social engineering of users to delete MOTW attributes (right-click on the file -> attributes -> unblock). However, this topic is beyond the scope of this article, so I won't repeat it here. For the security team, from a technical perspective, you can set HideZoneInfoOnProperties through Group Policy to prevent end users from performing this operation.

Now, let's take a closer look at two technical strategies to bypass MOTW.

Strategy 1: Misuse of software without MOTW

The first strategy spreads the payload in a file format processed by software that does not set or spread the area identifier information. The Git client is a good example. The image below shows that the files copied from GitHub using the Git client do not have the Zone.Identifier ADS.

View Image

For a penetration testing team targeting developers, loading the payload via Git may be a good choice to bypass MOTW, which is particularly relevant for the payload for Visual Studio.

Another well-known software example without Zone.Identifier ADS is 7Zip. When a file is double-clicked from the GUI, this archive client only sets a MOTW flag, which means that the file is extracted to a temporary directory and opened from there. However, after manually extracting the file to another location (ie clicking the extract button instead of double-clicking), 7Zip does not propagate the Zone.Identifier ADS of the extracted file. Please note that this method works regardless of the archive file format, and any extension (7z, zip, rar, etc.) processed by 7zip will prove this behavior.

This seems to be a conscious design decision made by the lead developer of 7Zip, which can be seen in the discussion on SourceForge below, and more information can be found here .


In particular, I do not recommend using 7Zip to extract potentially dangerous files, because it is a product known for making "strange" security decisions (such as lack of ASLR...).

Strategy 2: Abuse the container format

Remember that alternate data stream is an NTFS feature? This means that we cannot create the area identifier ADS on other file systems (such as FAT32). For attackers, they can exploit this behavior by embedding the payload in a file system container (such as ISO or VHD(X)).

When using Windows Explorer to open such a container, MOTW on the outer container will not be propagated to the files in the container. The screenshot below confirms this: the downloaded ISO is marked with MOTW, but the payload in the ISO is not marked.

View Image

Please note that transmitting payload via ISO format is a common circumvention technique in the wild. For example, TA505 is a well-known attacker who abuses this technique.

Mitigation measures

First of all, some commonly used security measures can play a good mitigation role, because many attackers will not use the techniques described in this article. In particular, I strongly support measures to prevent downloading of macros in files from the Internet, which can be used in MS Office 2013 and subsequent versions.

2. the technology described in this article introduces a very important security precaution: defense in depth. Do not take a single precautionary environment when designing a safety precaution strategy, in this example it is MOTW.

If an attacker tries to bypass MOTW, what other measures can you take. For example, if it is feasible for your organization, block container formats in mail filters and proxies. In addition, restrict the impact of any malicious files that may bypass measures that rely on MOTW, such as the use of ASR rules. ASR is the abbreviation of Attack surface reduction, which is to protect the computer from malicious software and code attacks by configuring attack surface reduction rules.

Reference : https://blog.csdn.net/systemino/article/details/105757289