T1553.005 Google Chronicle · YARA-L

Detect Mark-of-the-Web Bypass in Google Chronicle

Adversaries abuse container file formats such as ISO disk images, VHD/VHDX virtual hard disks, and compressed archives (ZIP, RAR, 7z, ARJ) to deliver malicious payloads that bypass Mark-of-the-Web (MOTW) protections. When a container file is downloaded from the Internet, Windows tags it with a Zone.Identifier NTFS Alternate Data Stream (ZoneId=3), but files extracted or mounted from containers typically do not inherit this tag because MOTW is an NTFS feature and many container formats do not support NTFS ADS. This allows embedded executables, scripts, and LNK files to bypass Protected View in Microsoft Office, Windows Defender SmartScreen warnings, and other MOTW-dependent security controls. Adversaries also directly manipulate or delete the Zone.Identifier ADS from already-downloaded files (Amadey sets ZoneId=0; attackers use streams.exe or PowerShell Remove-Item -Stream). This technique has been widely adopted by TA505 (ISO/LNK chains), QakBot (ISO packaging), APT29 (ISO/VHDX embedded in HTML), and APT38 (ISO/VHD delivery).

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1553 Subvert Trust Controls
Sub-technique
T1553.005 Mark-of-the-Web Bypass
Canonical reference
https://attack.mitre.org/techniques/T1553/005/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1553_005_motw_bypass {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Mark-of-the-Web bypass via Zone.Identifier ADS deletion, PowerShell disk image mounting, ADS manipulation tools, and execution from mounted volumes — T1553.005"
    mitre_attack = "T1553.005"
    severity = "HIGH"
    priority = "HIGH"
    version = "1.0"

  events:
    (
      // Branch 1: Zone.Identifier ADS deletion or stream manipulation via file events
      $e1.metadata.event_type = "FILE_DELETION"
      and re.regex($e1.target.file.full_path, `(?i):Zone\.Identifier$`)
    )
    or
    (
      // Branch 2: ADS manipulation tools — streams.exe or PowerShell Remove-Item Zone.Identifier
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e1.principal.process.file.full_path, `(?i)\\streams(64)?\.exe$`)
        or (
          re.regex($e1.principal.process.file.full_path, `(?i)\\(powershell|pwsh)\.exe$`)
          and re.regex($e1.target.process.command_line, `(?i)Zone\.Identifier`)
          and re.regex($e1.target.process.command_line, `(?i)(Remove-Item|-Stream|Clear-Content|Set-Content)`)
        )
        or (
          re.regex($e1.principal.process.file.full_path, `(?i)\\cmd\.exe$`)
          and re.regex($e1.target.process.command_line, `(?i)Zone\.Identifier`)
        )
      )
    )
    or
    (
      // Branch 3: PowerShell disk image mount
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e1.target.process.file.full_path, `(?i)\\(powershell|pwsh)\.exe$`)
      and (
        re.regex($e1.target.process.command_line, `(?i)(Mount-DiskImage|Mount-VHD)`)
        or (
          re.regex($e1.target.process.command_line, `(?i)\.(iso|vhd|vhdx|img)`)
          and re.regex($e1.target.process.command_line, `(?i)(mount|attach|diskpart)`)
        )
      )
    )
    or
    (
      // Branch 4: Execution from non-C: mounted volume via explorer or cmd
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e1.target.process.file.full_path, `^[D-Zd-z]:\\.*\.(exe|dll|lnk|js|vbs|hta|bat|cmd|ps1|msi)$`)
      and re.regex($e1.principal.process.file.full_path, `(?i)\\(explorer|cmd)\.exe$`)
      and not re.regex($e1.target.process.file.full_path, `(?i)(Program Files|Games|Steam|GOG|Epic Games)`)
    )

  condition:
    $e1
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting T1553.005 MOTW bypass across four branches: Zone.Identifier ADS deletion, ADS manipulation with streams.exe or PowerShell, PowerShell disk image mount commands, and process execution from non-system mounted drive letters initiated by explorer.exe or cmd.exe.

Data Sources

Google ChronicleChronicle Ingestion APIWindows Event Logs via Chronicle forwarderSysmon UDM ingestion

Required Tables

UDM Events (process_launch, file_deletion)

False Positives & Tuning

  • Enterprise deployment tools running ISOs on non-C: drives during imaging or provisioning
  • Legitimate forensic or incident response tools such as FTK or Arsenal Image Mounter operating on mounted volumes
  • IT administrators using streams.exe for ADS inventory or cleanup tasks as part of hardening procedures
  • Developers or testers running isolated environments from secondary volumes or VHDs
Download portable Sigma rule (.yml)

Other platforms for T1553.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Mount ISO File and Execute Payload Without MOTW

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Mount-DiskImage' and the ISO path. System Event ID 6416 (Kernel-PnP): new virtual volume recognized. Sysmon Event ID 1: cmd.exe executing from a non-C: drive letter spawned by powershell.exe. Sysmon Event ID 11: motw-result.txt file creation in %TEMP%. Critically — no Sysmon Event ID 15 for Zone.Identifier on payload.bat inside the ISO, confirming MOTW bypass.

  2. Test 2Strip Zone.Identifier ADS via PowerShell Remove-Item -Stream

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Zone.Identifier' and 'Remove-Item'. Sysmon Event ID 15 (FileCreateStreamHash): fires during the setup phase when Zone.Identifier is written to the file. DeviceFileEvents (MDE) ActionType=FileDeleted targeting the Zone.Identifier stream. Windows Security Event ID 4663 (if object access auditing enabled): DELETE access to the file's ADS.

  3. Test 3Modify Zone.Identifier to ZoneId=0 (Amadey Technique)

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Zone.Identifier' and 'Set-Content'. Sysmon Event ID 15 (FileCreateStreamHash): fires twice — once for ZoneId=3 creation and once for the ZoneId=0 overwrite, producing different hash values for the stream content. DeviceFileEvents ActionType=FileModified for the test file. Key forensic indicator: Sysmon Event ID 15 with a hash value matching the ZoneId=0 template string '[ZoneTransfer]\r\nZoneId=0'.

  4. Test 4Delete Zone.Identifier Using Sysinternals Streams.exe

    Expected signal: Sysmon Event ID 1: powershell.exe with Invoke-WebRequest downloading Streams.zip. Sysmon Event ID 3: network connection to download.sysinternals.com. Sysmon Event ID 11: Streams.zip and extracted files created in %TEMP%. Sysmon Event ID 1: streams64.exe process creation with CommandLine containing '-d' and the target file path. DeviceFileEvents: file modification event as Zone.Identifier ADS is deleted from the test file.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1553.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1553Subvert Trust Controls

Related Sub-techniques

T1553.001Gatekeeper BypassT1553.002Code SigningT1553.003SIP and Trust Provider HijackingT1553.004Install Root CertificateT1553.006Code Signing Policy Modification

Related Techniques

T1553Subvert Trust ControlsT1566.001Spearphishing AttachmentT1566.002Spearphishing LinkT1204.002Malicious FileT1218.011Rundll32T1218.010Regsvr32T1547.009Shortcut ModificationT1027.009Embedded PayloadsT1070.006Timestomp

Same Tactic: Defense Evasion

Popular Detections