August 6, 2024 at 10:44AM
Elastic Security Labs revealed various methods for attackers to run malicious apps undetected by Windows’ security features. One method, “LNK Stomping,” exploits a bug in Windows’ handling of shortcut files to bypass SmartScreen and Smart App Control. Elastic engaged with Microsoft about the issue, but no immediate fix is promised. Other reputation-based bypass methods were also discussed.
Based on the meeting notes, here are the key takeaways:
1. Elastic Security Labs has identified several methods that attackers can use to bypass Windows’ security warnings, particularly focusing on bypassing Windows SmartScreen and Smart App Control (SAC).
2. One of the techniques uncovered is a bug in the way Windows shortcut files (.LNK) are handled, dubbed “LNK Stomping,” which nullifies Windows’ Mark of the Web (MotW) and allows malicious apps to evade SmartScreen and SAC.
3. Elastic has engaged with Microsoft regarding mitigation of the bug, with no specific promises of a patch at this time.
4. Other bypass techniques include reputation hijacking, reputation seeding, and reputation tampering, all aimed at bypassing the reputation-based protections of SmartScreen and SAC.
5. Security professionals are advised to adjust their detection engineering to address the coverage gaps highlighted by these bypass techniques until a patch is available.
Let me know if there is anything else I can help with!