Hackers often target Windows Smart App Control and Smart Screen security flaws to launch malicious code and applications for their nefarious purposes.
Threat actors can use these vulnerabilities to compromise Windows security features to gain illegal access, steal sensitive data, and compromise system integrity.
Cybersecurity researchers at Elastic Security Labs discovered Windows Smart App Control and SmartScreen. Weaknesses Let hackers hijack the system.
Windows Smart App Control vulnerability
Microsoft’s Windows security features, SmartScreen and Smart App Control (SAC), aim to protect users from malicious software.
Windows 8 uses Mark of the Web, which introduced SmartScreen, while Windows 11 introduced SAC, which checks with cloud services to ensure an app’s security.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access
As a result, these measures have not stopped attackers who have developed sophisticated bypass mechanisms.
Some of these techniques include malware. Signing code using certificates Obtained through fraud or through reputation hijacking by infiltrating trusted applications to execute malicious codes.
Flexible Labs The report said That these vulnerabilities represent a never-ending battle between security developers and threat actors highlights the need for continuous improvement in defense strategies.
Attackers have developed sophisticated methods to overcome reputation-based security systems such as Microsoft’s Smart App Control (SAC) and SmartScreen.
These techniques include the following:-
- sowing: Attackers trick people into enabling malware with seemingly harmless binaries, which enable the binary to seed malicious code. These binaries may seem harmless and well-behaved, but they contain hidden threats that will activate after a certain trigger or period of time. SAC is vulnerable to this type of attack, especially when basic anti-emulation techniques are used.
- Defamation: It is surprising that, in some cases, changing files does not affect their credibility on SAC. Fuzzy hashing or ML-based similarity comparison and a strict cryptographic hash function can be used by SAC. Trusted status can be maintained despite hackers tampering with different parts of the codes.
- Mark of the Web (MotW) Bypass: A significant risk refers to creating LNK files formatted in special ways. Windows Explorer processes these files in a way that removes the MotW label before any security checks are performed. Such methods include appending characters to the end of the executable path or using relative paths for it. LNK files..
These attack vectors were actually seen in real-world malware samples, with some techniques that bypass MotW dating back six years.
The constant existence and change of these processes highlights the ongoing challenges in cybersecurity, which require regular enhancements and improvements in defense strategies to meet increasingly sophisticated challenges.
Due to their polymorphic nature, reputation hijacking attacks are difficult to detect. Blocking known misused applications is a good starting point, but this is usually reactive.
More effective mechanisms would include developing behavioral signatures for incorrect categories of software and monitoring downloaded files, particularly monitoring files found in non-standard locations.
Changes to the LNK file should be noted by explorer.exe, which may suggest bypassing MotW. Finally, robust behavioral monitoring for specific attack techniques is critical, as reputation-based defenses alone cannot protect against advanced threats.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide