> For the complete documentation index, see [llms.txt](https://dmcxblue.gitbook.io/red-team-notes-2-0/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-infrastructure/weaponization/iso.md). # ISO An ISO file is an exact copy of an entire optical disk such as a CD, DVD, or Blu-Ray archived in a single file. This file, which is also sometimes referred to as an ISO image, is a smaller-sized duplicate of large sets of data. The reason I speak of ISO files is because of a security feature called Mark-of-the-Web (MOTW) a security feature originally introduced by Internet Explorer to force saved webpages to run in the security zone of the location the paged was saved from. [Nobelium](https://redmondmag.com/articles/2021/05/28/nobelium-spearphishing-attacks.aspx) ![](/files/fRAtdNu2KVIRCBd92uhg) Since the ISO file is just a compression method for files I will show the example of grabbing a regular EXE payload and compressing this onto the ISO file will demonstrate the mark of the web avoidance, since this is helpful Microsoft doesn't check if the file comes from the Internet and we can avoid the SmartScreen protection that usually comes when a file is from the Internet. I will show a small demonstration of why MOTW is an important factor when delivering payloads: SmartScreen, simple this feature protects windows from files that are being downloaded from the internet when the payload is executed you will receive a warning from SmartScreen ![](/files/iPsF9oY8ROb7Vftomgge) I will follow with the execution on the payload ![](/files/0B4wkMYbiAM5Y6FzpFty) Makes sense with the MOTW feature now let's remove it: ![](/files/NJzQoL0ISmdB6bcJMeDa) Immediate execution no checkups of any sort. Will demonstrate this now by packing the payload onto an ISO file image and executing it for a reverse shell. For demo purposes we can use an amazing tool called PackMyPayload or we can take a blast to the past and use a tool called Nero PackmyPayload: I will fill the requirements for the tool to give us our ISO image, multiple formats are supported but I will demonstrate ISO in this example ![](/files/Ok2gfiaAaMQog7kEz83M) Will pack our payload ![](/files/mLdkVR7NIjHRdNPdqMka) Then send this to our user ![](/files/rTnmWh08nwA5PdGiq94x) Now will verify the MOTW on the ISO file ![](/files/yX0YjfnKojB9uLrSNiQc) But will see that the payload in the ISO does not have the MOTW ![](/files/tLyG7hK6BUM0ChL36JU5) And if we try and run this, will get an immediate execution ![](/files/8WHAV8sVXdU7EWArvq7s) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-infrastructure/weaponization/iso.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.