An update was added to the end of the article explaining that any Authenticode-signed file, including executables, can be modified to bypass warnings.
A new Windows zero-day allows threat actors to use malicious stand-alone JavaScript files to bypass Mark-of-the-Web security warnings. Threat actors are already seen using the zero-day bug in ransomware attacks.
Windows includes a security feature called Mark-of-the-Web (MoTW) that flags a file as having been downloaded from the Internet and, therefore, should be treated with caution as it could be malicious.
The MoTW flag is added to a downloaded file or email attachment as a special Alternate Data Stream called 'Zone.Identifier,' which can be viewed using the 'dir /R' command and opened directly in Notepad, as shown below.
![[correlate]](/data/avatars/m/79/79653.jpg?1556985072){kind=avatar}
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
