Skip to content

DET0257 Detect Mark-of-the-Web (MOTW) Bypass via Container and Disk Image Files

Item Value
ID DET0257
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1553.005 (Mark-of-the-Web Bypass)

Analytics

Windows

AN0712

Detects extraction or mounting of container/archive files (e.g., .iso, .vhd, .zip) that originated from the Internet but whose contained files lack Zone.Identifier MOTW tagging. Correlates file creation metadata with subsequent execution of unsigned or untrusted binaries launched outside SmartScreen or Protected View.

Log Sources
Data Component Name Channel
File Access (DC0055) WinEventLog:Security EventCode=4663, 4670, 4656
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
File Metadata (DC0059) WinEventLog:Sysmon EventCode=15
Mutable Elements
Field Description
WatchedExtensions Adjust monitored file types (e.g., .iso, .vhd, .zip, .gz, .rar) based on enterprise usage
TimeWindow Defines correlation window between extraction/mount and first execution of inner files
TrustedExtractionTools Whitelist known enterprise archivers and deployment mechanisms to reduce false positives