The article analyzes weaknesses in reputation-based protection systems like Windows Smart App Control (SAC) and SmartScreen, showing bypass techniques attackers can exploit to gain initial access without warnings. It also provides detection strategies and emphasizes the need for defenders to supplement OS-native protections with behavioral and heuristic signals. #SmartAppControl #SmartScreen #LNKStomping #ReputationHijacking #ReputationSeeding #ReputationTampering #SolarMarker #JamPlus #AutoHotkey
Keypoints
- Design Weaknesses: Windows Smart App Control and SmartScreen have vulnerabilities that allow attackers to bypass security warnings.
- LNK File Bug: A bug in handling LNK files can be exploited to bypass security controls.
- Signed Malware: Attackers can sign malware with legitimate certificates to evade detection.
- Reputation Hijacking: Attacker repurposes apps with good reputations to bypass protection systems.
- Reputation Seeding: Attacker-controlled binaries can be seeded into systems to gain a good reputation.
- Reputation Tampering: Modifications to files can sometimes retain their reputation, allowing malicious code to execute.
- LNK Stomping: Crafting LNK files with non-standard paths can remove security labels, leading to exploitation.
- Detections: Emphasizes behavioral signatures and scrutiny of downloads to compensate for OS-native protections.
MITRE Techniques
- [T1071.001] Signed Malware – By signing malware with legitimate code-signing certificates to evade detection. ‘Attackers sign malware with legitimate code-signing certificates to evade detection.’
- [T1071.002] Reputation Hijacking – Repurposing applications with good reputations to bypass security systems. ‘Repurposing applications with good reputations to bypass security systems.’
- [T1071.003] Reputation Seeding – Seeding attacker-controlled binaries into systems to gain a good reputation. ‘Seeding attacker-controlled binaries into systems to gain a good reputation.’
- [T1071.004] Reputation Tampering – Modifying files to retain their reputation while executing malicious code. ‘Modifying files to retain their reputation while executing malicious code.’
- [T1071.005] LNK Stomping – Crafting LNK files with non-standard paths to bypass security checks. ‘Crafting LNK files with non-standard paths to bypass security checks.’
Indicators of Compromise
- [Hash] context – ba35b8b4346b79b8bb4f97360025cb6befaf501b03149a3b5fef8f07bdf265c7, 4e213bd0a127f1bb24c4c0d971c2727097b04eed9c6e62a57110d168ccc3ba10 – Observed as sample hashes associated with reputation hijacking demonstrations.
- [File name] context – powershell.exe, calc.exe – Demonstrated usage in LNK stomping to launch PowerShell and pop Calc.
- [Process] context – explorer.exe – Used by LNK stomping to overwrite LNK files, remove MotW, and launch the target executable.
Read more: https://www.elastic.co/security-labs/dismantling-smart-app-control