The Mark of The Web (MOTW)

Helpful DFIR artifact.

MOTW Refs

• https://www.outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/

• https://redcanary.com/blog/iso-files/

• https://www.digital-detective.net/forensic-analysis-of-zone-identifier-stream/

How to leverage MOTW in DFIR

How to extract MOTW from a file, by using Get-Content and query for the Zone.Identifier -> to prove the file is downloaded from the internet

Get-Content -path 'filename' -stream Zone.Identifier

Real-world use case:

• https://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/

• https://www.digital-detective.net/forensic-analysis-of-zone-identifier-stream/ - Explain and analyze how to use MOTW for DFIR

In this report, the DFIR uses the browser search history and the MOTW to know that the file is downloaded from the internet and obtain the IP address that the file is downloaded from.

The result when you run the above command looks something like this:

[ZoneTransfer]
ZoneId=3
ReferrerUrl=http://library.lol/
HostUrl=http://176.119.25.72/main/1545000/9fa25f2e19a1e820b5dbd627c6042142/%28Artech%20House%20Intelligence%20and%20Information%20Operations%29%20Senior%20Lecturer%20Hy%20Rothstein%2C%20Barton%20Whaley%20-%20The%20Art%20and%20Science%20of%20Military%20Deception-Artech%20House%20Publishers%20%282013%29.pdf

Output explains:

• ZoneId

  • 0. Local computer

  • 1. Local intranet

  • 2. Trusted sites

  • 3. Internet

  • 4. Restricted sites

• ReferrerUrl is the URL that the user is accessing

• HostUrl is the IP address and the file location on the host

MOTW Bypasses

MOTW can't work on some cases like in this blog https://www.outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/

1. Abusing software that does not set MOTW

2. Abusing container formats

Also, there is a TTP specific for bypassing MOTW https://atomicredteam.io/defense-evasion/T1553.005/