It has been found that reputation-based security controls may not be as effective as believed in safeguarding organizations against unsafe web applications and content. Researchers at Elastic Security have discovered that attackers have developed various techniques to circumvent mechanisms that rely on reputation and trustworthiness.
These techniques include the use of digitally signed malware tools to appear legitimate, reputation hijacking, reputation tampering, and the use of specially crafted LNK files. While reputation-based protection systems are useful in blocking common malware, they are not foolproof and can be bypassed with careful tactics.
Multiple Available Techniques
In a recent study, Elastic Security researchers examined Microsoft Windows Smart App Control (SAC) and SmartScreen technologies as examples of reputation-based mechanisms that attackers have found ways to bypass.
SmartScreen, introduced by Microsoft with Windows 8, aims to protect users from malicious website applications and file downloads by verifying the trustworthiness of files with the Mark of the Web (MoTW). Smart App Control, available with Windows 11, uses threat intelligence to determine the trustworthiness of applications before allowing them to run.
Elastic Security researchers uncovered multiple ways in which attackers can bypass these protections.
LNK Stomping Around MoTW
One common method used by attackers to evade Smart App Control is by signing their malware with an extended validation (EV) SSL certificate. Attackers have also exploited reputation hijacking, targeting trusted script hosts like Lua and Node.js. Another technique identified is reputation seeding, where attackers introduce seemingly benign files to build up a positive reputation over time.
To enhance security, organizations are advised to utilize behavior analysis tools to detect common attack tactics such as credential access, enumeration, in-memory evasion, persistence, and lateral movement.