title: Mark-of-the-Web Bypass (T1553.005)
id: df00tech-t1553-005
status: experimental
description: "Adversaries abuse container file formats such as ISO disk images, VHD/VHDX virtual hard disks, and compressed archives (ZIP, RAR, 7z, ARJ) to deliver malicious payloads that bypass Mark-of-the-Web (MOTW) protections. When a container file is downloaded from the Internet, Windows tags it with a Zone.Identifier NTFS Alternate Data Stream (ZoneId=3), but files extracted or mounted from containers typically do not inherit this tag because MOTW is an NTFS feature and many container formats do not support NTFS ADS. This allows embedded executables, scripts, and LNK files to bypass Protected View in Microsoft Office, Windows Defender SmartScreen warnings, and other MOTW-dependent security controls. Adversaries also directly manipulate or delete the Zone.Identifier ADS from already-downloaded files (Amadey sets ZoneId=0; attackers use streams.exe or PowerShell Remove-Item -Stream). This technique has been widely adopted by TA505 (ISO/LNK chains), QakBot (ISO packaging), APT29 (ISO/VHDX embedded in HTML), and APT38 (ISO/VHD delivery)."
references:
  - https://attack.mitre.org/techniques/T1553/005/
  - https://df00tech.com/detections/T1553.005
author: df00tech
date: 2026/04/13
tags:
  - attack.t1553.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administrators legitimately mounting Windows Server or application installer ISO files for software deployment via PowerShell scripting
  - "Virtual machine management software (VMware vCenter, Hyper-V Manager, VirtualBox) programmatically mounting VHD/VHDX files for VM provisioning or backup restoration"
  - "Backup and recovery software (Veeam, Acronis, Macrium Reflect) that mounts disk images to facilitate granular file restoration"
  - Security administrators using Sysinternals streams.exe to audit alternate data streams on files during investigations or system hardening
  - "Developer workflows using Mount-DiskImage for application packaging pipelines, Docker Desktop disk image management, or WSL2 virtual hard disk operations"
  - CD/DVD ripping and burning software creating and locally mounting ISO images for verification prior to burning to physical media
level: high