Windows Smart App Control and SmartScreen
When activated, SAC supersedes and disables Defender SmartScreen, while Microsoft has made available undocumented APIs that allow for the assessment of a file's trust level within both SmartScreen and SAC. This accessibility has empowered researchers to create tools that can evaluate the trustworthiness of files more effectively.
Researchers from Elastic Labs have delved into reputation-based and LNK (shortcut) file techniques to exploit these systems, aiming to gain unauthorized access to devices.
Exploiting Reputation Systems to Bypass SmartScreen
One notable method for bypassing SAC involves the use of legitimate code-signing certificates to sign malware. Attackers have increasingly acquired Extended Validation certificates, which necessitate identity verification, by impersonating legitimate businesses. A case in point is the SolarMarker threat group, which has leveraged over 100 distinct signing certificates in its operations.
Another approach, termed reputation hijacking, repurposes trusted applications to evade security protocols. Script hosts with foreign function interfaces, such as Lua and Node.js interpreters, are particularly susceptible to this tactic. By utilizing these trusted applications, attackers can load and execute malicious code without raising any alarms.
Detecting reputation hijacking can be challenging, given the multitude of applications that can be exploited for this purpose. However, security teams can devise behavioral signatures to identify general categories of compromised software. For instance, they may monitor for common Lua or Node.js function names or modules within suspicious call stacks, or leverage local reputation systems to pinpoint anomalies that require further scrutiny.
LNK File Vulnerability and Detection Strategies
A significant vulnerability has been uncovered in Windows' handling of LNK (shortcut) files. By crafting LNK files with unconventional target paths, attackers can bypass Mark of the Web (MotW) checks, effectively evading the protections offered by SmartScreen and SAC. This flaw, which has persisted for at least six years, permits arbitrary code execution without triggering security warnings.
To mitigate these risks, security teams should adopt multi-layered detection strategies. This includes cataloging and blocking known abused applications, developing behavioral signatures to recognize suspicious activities, and maintaining vigilant monitoring of downloaded files. For example, teams can establish rules to detect common function names or modules associated with compromised script hosts in call stacks. Additionally, a focus on local reputation systems can aid in identifying outliers within the environment that merit closer examination.
It is essential for security teams to conduct thorough scrutiny of downloads within their detection frameworks, rather than relying exclusively on OS-native security features for safeguarding against these vulnerabilities. The researchers emphasize that in-memory evasion, persistence, credential access, enumeration, and lateral movement behaviors can be instrumental in identifying reputation hijacking techniques in practical scenarios.