Detect Mark-of-the-Web Bypass in Sumo Logic CSE
Adversaries abuse container file formats such as ISO disk images, VHD/VHDX virtual hard disks, and compressed archives (ZIP, RAR, 7z, ARJ) to deliver malicious payloads that bypass Mark-of-the-Web (MOTW) protections. When a container file is downloaded from the Internet, Windows tags it with a Zone.Identifier NTFS Alternate Data Stream (ZoneId=3), but files extracted or mounted from containers typically do not inherit this tag because MOTW is an NTFS feature and many container formats do not support NTFS ADS. This allows embedded executables, scripts, and LNK files to bypass Protected View in Microsoft Office, Windows Defender SmartScreen warnings, and other MOTW-dependent security controls. Adversaries also directly manipulate or delete the Zone.Identifier ADS from already-downloaded files (Amadey sets ZoneId=0; attackers use streams.exe or PowerShell Remove-Item -Stream). This technique has been widely adopted by TA505 (ISO/LNK chains), QakBot (ISO packaging), APT29 (ISO/VHDX embedded in HTML), and APT38 (ISO/VHD delivery).
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1553 Subvert Trust Controls
- Sub-technique
- T1553.005 Mark-of-the-Web Bypass
- Canonical reference
- https://attack.mitre.org/techniques/T1553/005/
Sumo Detection Query
// T1553.005 — MOTW Bypass Detection in Sumo Logic
// Covers ADS deletion, PowerShell mounting, ADS tool use, and mounted volume execution
(_sourceCategory="*windows*sysmon*" OR _sourceCategory="*WinEventLog*")
| parse field=_raw "<EventID>*</EventID>" as EventID nodrop
| parse field=_raw "<Data Name='Image'>*</Data>" as Image nodrop
| parse field=_raw "<Data Name='CommandLine'>*</Data>" as CommandLine nodrop
| parse field=_raw "<Data Name='ParentImage'>*</Data>" as ParentImage nodrop
| parse field=_raw "<Data Name='ParentCommandLine'>*</Data>" as ParentCommandLine nodrop
| parse field=_raw "<Data Name='TargetFilename'>*</Data>" as TargetFilename nodrop
| parse field=_raw "<Data Name='User'>*</Data>" as User nodrop
| parse field=_raw "<Data Name='Computer'>*</Data>" as Computer nodrop
| parse field=_raw "<Data Name='Hashes'>*</Data>" as Hashes nodrop
| where EventID in ("1", "15")
| eval ImageLower = toLowerCase(Image)
| eval CmdLower = toLowerCase(CommandLine)
| eval TargetLower = toLowerCase(TargetFilename)
| eval DetectionType = ""
// Branch 1: Sysmon FileCreateStreamHash (15) — Zone.Identifier ADS
| eval DetectionType = if (EventID = "15" AND matchesRegex(TargetLower, ".*:zone\.identifier$"), "Sysmon_ADS_Zone_Identifier", DetectionType)
// Branch 2: ADS Manipulation Tools
| eval DetectionType = if (
EventID = "1" AND (
matchesRegex(ImageLower, ".*streams(64)?\.exe$")
OR (matchesRegex(ImageLower, ".*(powershell|pwsh)\.exe$") AND contains(CmdLower, "zone.identifier") AND (contains(CmdLower, "remove-item") OR contains(CmdLower, "-stream") OR contains(CmdLower, "clear-content") OR contains(CmdLower, "set-content")))
OR (contains(ImageLower, "cmd.exe") AND contains(CmdLower, "zone.identifier"))
), "ADS_Manipulation_Tool", DetectionType)
// Branch 3: PowerShell Disk Image Mount
| eval DetectionType = if (
EventID = "1"
AND matchesRegex(ImageLower, ".*(powershell|pwsh)\.exe$")
AND (contains(CmdLower, "mount-diskimage") OR contains(CmdLower, "mount-vhd")
OR ((contains(CmdLower, ".iso") OR contains(CmdLower, ".vhd") OR contains(CmdLower, ".vhdx") OR contains(CmdLower, ".img"))
AND (contains(CmdLower, "mount") OR contains(CmdLower, "attach") OR contains(CmdLower, "diskpart")))),
"DiskImage_Mount_PowerShell", DetectionType)
// Branch 4: Execution from Mounted Volume
| eval DetectionType = if (
EventID = "1"
AND matchesRegex(Image, "^[D-Zd-z]:\\\\.*\\.(exe|dll|lnk|js|vbs|hta|bat|cmd|ps1|msi)$")
AND (contains(toLowerCase(ParentImage), "explorer.exe") OR contains(toLowerCase(ParentImage), "cmd.exe"))
AND NOT (contains(ImageLower, "program files") OR contains(ImageLower, "games") OR contains(ImageLower, "steam")),
"Exec_From_Mounted_Volume", DetectionType)
| where DetectionType != ""
| fields - ImageLower, CmdLower, TargetLower
| table _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, TargetFilename, Hashes, DetectionType
| sort by _messageTime descDetects T1553.005 MOTW bypass in Sumo Logic using Sysmon operational events. Identifies Zone.Identifier ADS deletions (EventID 15), ADS manipulation via streams.exe or PowerShell, disk image mount commands, and suspicious process execution from non-system mounted drive letters.
Data Sources
Required Tables
False Positives & Tuning
- Software deployment tools (SCCM, Intune, PDQ) mounting ISOs during provisioning workflows
- IT staff using Sysinternals Streams.exe for legitimate ADS auditing or forensic investigations
- Developers running portable applications or development environments from secondary volumes (D:, E:)
- Backup or imaging software that mounts VHD/VHDX files as part of restore operations
Other platforms for T1553.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Mount ISO File and Execute Payload Without MOTW
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Mount-DiskImage' and the ISO path. System Event ID 6416 (Kernel-PnP): new virtual volume recognized. Sysmon Event ID 1: cmd.exe executing from a non-C: drive letter spawned by powershell.exe. Sysmon Event ID 11: motw-result.txt file creation in %TEMP%. Critically — no Sysmon Event ID 15 for Zone.Identifier on payload.bat inside the ISO, confirming MOTW bypass.
- Test 2Strip Zone.Identifier ADS via PowerShell Remove-Item -Stream
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Zone.Identifier' and 'Remove-Item'. Sysmon Event ID 15 (FileCreateStreamHash): fires during the setup phase when Zone.Identifier is written to the file. DeviceFileEvents (MDE) ActionType=FileDeleted targeting the Zone.Identifier stream. Windows Security Event ID 4663 (if object access auditing enabled): DELETE access to the file's ADS.
- Test 3Modify Zone.Identifier to ZoneId=0 (Amadey Technique)
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Zone.Identifier' and 'Set-Content'. Sysmon Event ID 15 (FileCreateStreamHash): fires twice — once for ZoneId=3 creation and once for the ZoneId=0 overwrite, producing different hash values for the stream content. DeviceFileEvents ActionType=FileModified for the test file. Key forensic indicator: Sysmon Event ID 15 with a hash value matching the ZoneId=0 template string '[ZoneTransfer]\r\nZoneId=0'.
- Test 4Delete Zone.Identifier Using Sysinternals Streams.exe
Expected signal: Sysmon Event ID 1: powershell.exe with Invoke-WebRequest downloading Streams.zip. Sysmon Event ID 3: network connection to download.sysinternals.com. Sysmon Event ID 11: Streams.zip and extracted files created in %TEMP%. Sysmon Event ID 1: streams64.exe process creation with CommandLine containing '-d' and the target file path. DeviceFileEvents: file modification event as Zone.Identifier ADS is deleted from the test file.
References (10)
- https://attack.mitre.org/techniques/T1553/005/
- https://web.archive.org/web/20201203131725/https://christiaanbeek.medium.com/investigating-the-use-of-vhd-files-by-cybercriminals-3f1f08304316
- https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/
- https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/
- https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/6e3f7352-d11c-4d76-8c39-2516a9df36e8
- https://gist.github.com/wdormann/fca29e0dcda8b5c0472e73e10c78c3e7
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md
- https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams
- https://docs.microsoft.com/en-us/sysinternals/downloads/streams
- https://github.com/SwiftOnSecurity/sysmon-config
Unlock Pro Content
Get the full detection package for T1553.005 including response playbook, investigation guide, and atomic red team tests.