Adding a removing the mark of the web via PowerShell

A quick post becuase this is useful for security control testing:

If you want to enable MOTW (mark of the web) on a file you can run the following PowerShell cmdlet:

Set-Content -Path '.\safe3.rtf' -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3'

This will set the alterate data stream (ADS) Zone.Identifier value to ZoneID=3 (Internet Zone)

You can unblock this with

Unblock-File '.\safe.rtf'

There’s more detail on the zones and how this works from Microsoft:

[MS-FSCC]: Zone.Identifier Stream Name | Microsoft Docs

About URL Security Zones (Windows) | Microsoft Docs

IE security zones registry entries for advanced users – Browsers | Microsoft Docs

the TLDR is here:

Value  Setting
------------------------------
0      My Computer
1      Local Intranet Zone
2      Trusted sites Zone
3      Internet Zone
4      Restricted Sites Zone

Hopefully that’s useful for both red and blue activites! Remember not all apps support writing the ADS for MOTW (so you can pull files down and avoid protected mode if you need 😉 )

Office Microsoft Support Diagnostic Tool (MSDT) Vulnerability “Follina”

Cyber Essentials – Out of the Box

Related articles