Windows Smart App Control and SmartScreen Possible to Bypass

Newly discovered vulnerabilities in Windows Smart App Control (SAC) and SmartScreen allow attackers to bypass security measures without triggering warnings. These weaknesses, involving the handling of LNK files and reputation-based security systems, necessitate improved detection strategies for effective defense.

The security research team at Elastic conducted an in-depth analysis, revealing critical flaws in the Windows Smart App Control and SmartScreen systems. They identified several methods attackers could exploit to gain initial access and evade detection, focusing particularly on the improper handling of LNK files and other bypass techniques.

Smart App Control and SmartScreen: Background

Microsoft introduced SmartScreen in Windows 8, enhancing it with Smart App Control in Windows 11. These systems are designed to block malicious or untrusted applications by querying a Microsoft cloud service to verify their safety. However, these protections can be circumvented if attackers manipulate code-signing certificates or exploit specific vulnerabilities.

Vulnerabilities

• Code-Signing Certificate Exploitation: Attackers have increasingly obtained Extended Validation (EV) signing certificates to disguise malware. By impersonating businesses, they acquire certificates that make their malware appear legitimate, effectively bypassing SAC's checks.
• Reputation Hijacking: This technique involves leveraging applications with established reputations to execute malicious code. Attackers repurpose script hosts such as Lua, Node.js, and AutoHotkey, which have high reputations, to execute arbitrary code without detection.
• Reputation Seeding: Attackers can introduce benign-seeming binaries into the system, allowing them to gain a good reputation before activating embedded malicious code. This method exploits SAC's trust mechanisms, which sometimes label these binaries as safe within hours.
• Reputation Tampering: Modifications to certain sections of a file can be made without changing its reputation, allowing attackers to insert malicious code into trusted binaries. This exploits potential weaknesses in SAC's hashing or similarity comparison methods.
• LNK Stomping: The research highlighted a flaw where crafted LNK files with non-standard target paths bypass security checks. When these files are clicked, Windows' explorer.exe corrects the path, removing the Mark of the Web (MotW) and allowing execution without security warnings.

Demonstration and impact

The research team demonstrated various techniques through videos and samples. For instance, they showed how LNK files could be manipulated to launch PowerShell and execute arbitrary code, bypassing Smart App Control entirely. These demonstrations underscore the critical need for improved detection and mitigation strategies.

Defensive measures

To counter these vulnerabilities, security teams should focus on:

• Implementing behavioral signatures to detect unusual activity, such as abnormal use of script hosts or unexpected file modifications.
• Monitoring processes initiated by explorer.exe that involve known malicious binaries, like AutoHotkey or JamPlus, using their specific hashes.
• Scrutinizing files in the Downloads or Temp directories for suspicious behavior, particularly those with the MotW label.
• Detecting overwriting activities on LNK files by explorer.exe, especially in user download folders or when linked to MotW.
• Focusing on common attacker techniques like in-memory evasion, persistence, and lateral movement to catch potential intrusions early.

The findings by Elastic highlight substantial security gaps in Windows Smart App Control and SmartScreen, but it is unclear when Microsoft plans to roll out fixes. Until then, system administrators and users are advised to apply the mentioned precautions to prevent exploitation.