Windows Defender SmartScreen App Install Control Disabled via Registry Modification

Attackers are disabling the Windows Defender SmartScreen App Install Control feature by modifying specific registry keys. This action circumvents a built-in Windows security control designed to prevent the installation of potentially malicious applications downloaded from the web. This allows for the installation of harmful applications without user prompts or restrictions, significantly increasing the risk of system compromise. This behavior, while not commonly seen in default configurations, allows for increased attack opportunities. The targeting scope includes Windows systems where the App Install Control feature is enabled, and success allows for further malicious payloads to be executed.

Attack Chain

1. An attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).
2. The attacker escalates privileges to gain administrative rights if necessary.
3. The attacker uses a command-line tool like reg.exe or PowerShell to modify the registry.
4. The attacker modifies the ConfigureAppInstallControl value under the HKLM:\SOFTWARE\Microsoft\Windows Defender\SmartScreen registry key.
5. The attacker sets the ConfigureAppInstallControl value to “Anywhere” or modifies ConfigureAppInstallControlEnabled to “0x00000000”.
6. The Windows Defender SmartScreen App Install Control is disabled.
7. The attacker downloads and executes a malicious application from the web.
8. The malicious application compromises the system, potentially leading to data theft or further malicious activities.

Impact

Disabling the App Install Control can lead to the installation of malware, potentially affecting a large number of systems. This can result in data breaches, financial loss, and reputational damage. If successful, the attackers gain the ability to bypass built-in security features, increasing the likelihood of a successful compromise.

Recommendation

• Enable Sysmon EventID 13 logging to monitor registry modifications (reference: Sysmon EventID 13 data source).
• Deploy the Sigma rule provided in this brief to your SIEM to detect the modification of the specific registry keys related to App Install Control (reference: Sigma rule).
• Investigate any alerts generated by this rule to determine if the activity is malicious.
• Implement Group Policy settings to prevent users from modifying these registry keys (reference: Registry.registry_path and Registry.registry_value_data in the Sigma rule).