Cybersecurity researchers have discovered design weaknesses in Microsoft’s Windows Smart App Control and SmartScreen that could allow threat actors to gain initial access to target environments without raising any warning.
Smart App Control (SAC) is a cloud-based security feature introduced by Microsoft in Windows 11 that blocks malicious, untrusted, and potentially unwanted apps from running on your system. If the service cannot make a prediction about the app, it checks if the app is signed and has a valid signature before running it.
SmartScreen, released with Windows 10, is a similar security feature that determines if a site or downloaded app is malicious and leverages a reputation-based approach to URL and app protection.
“Microsoft Defender SmartScreen evaluates website URLs to determine whether they are known to distribute or host unsafe content,” Redmond said in the documentation.
“We also offer an app reputation check, which checks the digital signatures used to sign downloaded programs and files. If the URL, file, app, or certificate has an established reputation, the user will not see a warning. If it doesn’t have a reputation, the item will be marked as high risk and the user will see a warning.”
Also note that enabling SAC replaces and disables Defender SmartScreen.
“Smart App Control and SmartScreen have several fundamental design weaknesses that allow initial access without any security warnings and with minimal user interaction,” Elastic Security Labs said in a report shared with The Hacker News.
One of the easiest ways to circumvent these protections is to sign your app with a legitimate Extended Validation (EV) certificate, a technique that malicious actors are already using to distribute malware, as the recent HotPage case revealed.
Here are some other methods you can use to avoid detection:
- Reputation hijacking. Identifying and reusing apps with a good reputation to bypass the system (e.g. JamPlus or known AutoHotkey interpreters)
- Reputation seeding uses seemingly benign attacker-controlled binaries that trigger malicious behavior due to application vulnerabilities or after a certain amount of time has passed.
- Reputation tampering is the act of modifying specific sections of a legitimate binary (e.g. a calculator) to inject shellcode without compromising its overall reputation.
- LNK stomping exploits a bug in how Windows handles shortcut (LNK) files to remove the Mark of the Web (MotW) tag, circumventing SAC protection by exploiting SAC’s blocking of files with this label.
“It creates LNK files with non-standard target paths or internal structures,” the researchers say. “Once clicked, these LNK files are modified by explorer.exe into a standard format that removes the MotW label before security checks are performed.”
“Our reputation-based protection system is a powerful layer for blocking common malware,” the company said, “but like any protection technology, there are weaknesses that can be avoided with care. Security teams should carefully scrutinize downloads in their detection stacks and not rely solely on OS-native security features for protection in this area.”
