An ISO file is an exact copy of an entire optical disk such as a CD, DVD, or Blu-Ray archived in a single file. This file, which is also sometimes referred to as an ISO image, is a smaller-sized duplicate of large sets of data.

The reason I speak of ISO files is because of a security feature called Mark-of-the-Web (MOTW) a security feature originally introduced by Internet Explorer to force saved webpages to run in the security zone of the location the paged was saved from.


Since the ISO file is just a compression method for files I will show the example of grabbing a regular EXE payload and compressing this onto the ISO file will demonstrate the mark of the web avoidance, since this is helpful Microsoft doesn't check if the file comes from the Internet and we can avoid the SmartScreen protection that usually comes when a file is from the Internet.

I will show a small demonstration of why MOTW is an important factor when delivering payloads:

SmartScreen, simple this feature protects windows from files that are being downloaded from the internet when the payload is executed you will receive a warning from SmartScreen

I will follow with the execution on the payload

Makes sense with the MOTW feature now let's remove it:

Immediate execution no checkups of any sort.

Will demonstrate this now by packing the payload onto an ISO file image and executing it for a reverse shell. For demo purposes we can use an amazing tool called PackMyPayload or we can take a blast to the past and use a tool called Nero


I will fill the requirements for the tool to give us our ISO image, multiple formats are supported but I will demonstrate ISO in this example

Will pack our payload

Then send this to our user

Now will verify the MOTW on the ISO file

But will see that the payload in the ISO does not have the MOTW

And if we try and run this, will get an immediate execution

Last updated