CVE-2024-38217

What is Mark of the Web (MotW)?

Mark of the Web (MotW) is a Windows security mechanism that tags files downloaded from the internet or received from untrusted sources with a Zone.Identifier alternate data stream (ADS). This tag records the URL zone from which the file originated (Zone 3 = Internet). Security features like SmartScreen, Protected View in Office, and Windows Defender application behavior checks all inspect this tag to apply stricter policies to internet-origin files — displaying warnings before executing downloaded scripts, opening downloaded Office documents in Protected View, and triggering SmartScreen reputation checks. Bypassing MotW means these warnings and checks do not appear, allowing malicious files to execute with the same trust as locally-created files.

Overview

CVE-2024-38217 is a zero-day MotW protection mechanism failure discovered by Elastic Security Labs and patched on September 10, 2024 (September Patch Tuesday). The vulnerability involves a "LNK stomping" technique: specially crafted Windows shortcut (.lnk) files with a non-standard path format cause Windows Explorer to normalize the path when the shortcut is opened, rewriting the .lnk file in the process — which destroys the Zone.Identifier alternate data stream that carries the MotW tag. The result is that the MotW tag is silently removed from the file before SmartScreen or Protected View can evaluate it.

Affected Versions

Technical Details

CWE-693 (Protection Mechanism Failure). The "LNK stomping" technique exploits how Windows processes .lnk shortcut files with non-standard target path representations. A shortcut can be crafted with a target path in a non-normalized form — for example, using a relative path, environment variable reference, or drive path notation that differs from Windows Explorer's expected format. When the user opens this shortcut, Windows Explorer normalizes the target path and rewrites the .lnk file to store the canonical form. This rewrite operation creates a new file on disk — but the new file inherits no alternate data streams from the original, meaning the Zone.Identifier stream (the MotW tag) is dropped.

Because the MotW removal happens before SmartScreen or Protected View inspect the file, the user receives no warnings when executing the shortcut's target payload. The technique works for any payload reachable via the shortcut's target — .exe, .js, .ps1, etc. — and had reportedly been in use by malware distributors for at least six years before patching, indicating very long-lived exploitation.

Discovery

Discovered by Elastic Security Labs, who published detailed research describing the technique as part of a broader analysis of Windows Smart App Control and SmartScreen bypass methods. Elastic's research revealed the technique had been used in the wild for an extended period before the patch, and provided indicators for detecting LNK files with non-standard path formatting.

Exploitation Context

LNK stomping was used by multiple malware campaigns as a reliable SmartScreen and Protected View bypass, including Magniber ransomware operations and various commodity malware distributors. The technique is particularly effective because it requires only that the victim open a .lnk shortcut file — a very low-interaction requirement that makes it suitable for phishing attachments and drive-by downloads. The six-year exploitation window before patching means a large historical corpus of malicious .lnk files using this technique exists, and organizations should review past endpoint logs for files with non-standard LNK path formats.

Remediation

1. Apply the September 2024 Windows security updates (Patch Tuesday, September 10, 2024) to all affected systems.
2. Audit endpoint detection and response (EDR) logs for .lnk files with non-standard target path formats — indicators of LNK stomping are detectable via Elastic's published research signatures.
3. Configure Group Policy to block execution of .lnk files from internet-origin locations or email attachments as a defense-in-depth measure.
4. Enable Attack Surface Reduction rules to restrict execution of files with missing or removed MotW tags from unusual locations.
5. Review email gateway and web proxy logs for .lnk file deliveries over the past six years as a precautionary measure given the length of exploitation history.