| ID | Name |
|---|---|
| ATAGS-T1107.001 | Code Signing |
| ATAGS-T1107.002 | Code Signing Policy Modification |
| ATAGS-T1107.003 | Gatekeeper Bypass |
| ATAGS-T1107.004 | Install Root Certificate |
| ATAGS-T1107.005 | Mark-of-the-Web Bypass |
| ATAGS-T1107.006 | SIP and Trust Provider Hijacking |
Threat Actors may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW. Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file is not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.