Researchers have uncovered additional weaknesses in the Windows SmartScreen system first introduced in Windows 8, along with Smart App Control (SAC), an evolution of SmartScreen designed to add significant protection against new and emerging threats by blocking apps that are malicious or untrusted.
These new techniques could potentially allow attackers to bypass operating system-level security measures without triggering warnings or pop-ups.
Windows Smart App Control and SmartScreen
When enabled, SAC replaces and disables Defender SmartScreen. Microsoft also exposes undocumented APIs for querying the trust level of files for SmartScreen and SAC, allowing researchers to develop utilities that display the trust of a file.
Researchers from Elastic Labs studied reputation-based and LNK (shortcut) file-based techniques to bypass both systems and gain further access to devices.
Exploiting Reputation Systems to Bypass SmartScreen
One method to circumvent SAC involves signing malware with legitimate code-signing certificates. Attackers have increasingly obtained Extended Validation certificates, which require identity verification, by impersonating businesses. The SolarMarker threat group, for instance, has used over 100 unique signing certificates in their campaigns.
Another tactic, known as reputation hijacking, involves repurposing trusted applications to bypass security checks. Script hosts with foreign function interfaces, such as Lua and Node.js interpreters, are particularly vulnerable to this approach. Attackers can use these trusted applications to load and execute malicious code without triggering alerts.
Reputation hijacking can be difficult to detect, as countless applications can be co-opted to carry out the technique. However, security teams can develop behavioral signatures to identify general categories of abused software.
For example, these teams can look for common Lua or Node.js function names or modules in suspicious call stacks, or use local reputation to identify outliers in their environment for closer inspection.
LNK File Vulnerability and Detection Strategies
A significant discovery involves a bug in Windows’ handling of LNK (shortcut) files. By crafting LNK files with non-standard target paths, attackers can bypass Mark of the Web (MotW) checks, effectively sidestepping SmartScreen and SAC protections. This vulnerability, which has existed for at least six years, allows for arbitrary code execution without security warnings.
To counter these threats, security teams should implement multi-layered detection strategies. This includes cataloging and blocking known abused applications, developing behavioral signatures to identify suspicious activities, and closely monitoring downloaded files.
For example, teams can create rules to detect common function names or modules associated with hijacked script hosts in call stacks. Additionally, focusing on local reputation systems can help identify outliers in the environment that warrant closer inspection.
SmartScreen have a number of fundamental design weaknesses that can allow for initial access with no security warnings and minimal user interaction. Security teams should scrutinize downloads carefully in their detection stack and not rely solely on OS-native security features for protection in this area.
The researchers single out in-memory evasion, persistence, credential access, enumeration, and lateral movement related behaviors as helpful for singling out reputation hijacking-based techniques in real scenarios.
