Cybersecurity researchers at Elastic Security Labs have uncovered design flaws in Windows Smart App Control (SAC) and SmartScreen that enable threat actors to gain initial access without security warnings or popups.
For those unaware, Microsoft (Defender) SmartScreen has been a built-in OS feature since its introduction in Windows 8.
It protects against phishing or malware websites and applications and the downloading of potentially malicious files. It runs on files that have theย โMark of the Webโย (MotW) and are clicked on by users.
With the release of Windows 11, Microsoft introduced Smart App Control (SAC), an evolution of SmartScreen.
SAC combines Microsoftโs app intelligence services and Windows’ code integrity features to protect users from malicious, untrusted (unsigned), or potentially unwanted apps running on the device.
It is worth noting that when SAC is enabled, it replaces and disables Defender SmartScreen.
Microsoft also exposes undocumented APIs for querying the trust level of files for SmartScreen and Smart App Control, which allows researchers to develop a utility that will display the trust of a file.
In an investigatory report, Elastic Security Labs details that a bug in the handling of LNK files (dubbedย LNK stomping) can help threat actors get around security by bypassing Smart App Control security controls designed to block untrusted apps.
LNK stomping involves appending crafted and invalid code signing signatures to JavaScript or MSI files with non-standard target paths or internal structures.
When clicked, explorer.exe automatically modifies these LNK files with the canonical formatting, leading to the removal of the MotW label from downloaded files before Windows security checks are performed.
โThe easiest demonstration of this issue is to append a dot or space to the target executable path (e.g., powershell.exe.). Alternatively, one can create an LNK file that contains a relative path such as .\target.exe. After clicking the link, explorer.exe will search for and find the matching .exe name, automatically correct the full path, update the file on disk (removing MotW), and finally launch the target,โ Elastic Security Labs researchers wrote in its investigatory report.
Elastic Security Labs have identified multiple samples in VirusTotal that display the bug, indicating that it has been exploited in the wild for years, with the oldest sample submitted more than six years ago, which is as early as February 2018.
The research company shared its findings with the Microsoft Security Response Center (MSRC), which responded by saying that the issue “may be fixed in a future Windows update.”
Besides LNK Stomping, Elastic Security Labs also described other weaknesses that attackers can use for detection evasion, including:
Signed Malware: Signing malware using code-signing or legitimate Extended Validation (EV) certificates would not alert Smart App Control or SmartScreen.
Reputation Hijacking: Involves finding and repurposing apps with a good reputation to bypass the security system.
Reputation Seeding: Involves using binaries that may seem innocuous and have good behavior to trigger an application with known vulnerabilities or malicious code only if certain conditions are met or a certain time has elapsed.
Reputation Tampering: Involves modifyingย certain sections of a file without changing its reputation to allow attackers to inject malicious code into trusted binaries.
“Reputation-based protection systems are a powerful layer for blocking commodity malware. However, like any protection technique, they have weaknesses that can be bypassed with some care,โ the company concluded.
โSecurity teams should scrutinize downloads carefully in their detection stack and not rely solely on OS-native security features for protection in this area.โ
Elastic Security Labs has released an open-source tool for checking the trustworthiness of a file’s Smart App Control.