{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/windows-defender-smartscreen-app-install-control/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Windows Defender SmartScreen App Install Control"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","registry-abuse","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eAttackers are disabling the Windows Defender SmartScreen App Install Control feature by modifying specific registry keys. This action circumvents a built-in Windows security control designed to prevent the installation of potentially malicious applications downloaded from the web. This allows for the installation of harmful applications without user prompts or restrictions, significantly increasing the risk of system compromise. This behavior, while not commonly seen in default configurations, allows for increased attack opportunities. The targeting scope includes Windows systems where the App Install Control feature is enabled, and success allows for further malicious payloads to be executed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain administrative rights if necessary.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a command-line tool like \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eConfigureAppInstallControl\u003c/code\u003e value under the \u003ccode\u003eHKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\SmartScreen\u003c/code\u003e registry key.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eConfigureAppInstallControl\u003c/code\u003e value to \u0026ldquo;Anywhere\u0026rdquo; or modifies \u003ccode\u003eConfigureAppInstallControlEnabled\u003c/code\u003e to \u0026ldquo;0x00000000\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe Windows Defender SmartScreen App Install Control is disabled.\u003c/li\u003e\n\u003cli\u003eThe attacker downloads and executes a malicious application from the web.\u003c/li\u003e\n\u003cli\u003eThe malicious application compromises the system, potentially leading to data theft or further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling the App Install Control can lead to the installation of malware, potentially affecting a large number of systems. This can result in data breaches, financial loss, and reputational damage. If successful, the attackers gain the ability to bypass built-in security features, increasing the likelihood of a successful compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon EventID 13 logging to monitor registry modifications (reference: Sysmon EventID 13 data source).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to your SIEM to detect the modification of the specific registry keys related to App Install Control (reference: Sigma rule).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule to determine if the activity is malicious.\u003c/li\u003e\n\u003cli\u003eImplement Group Policy settings to prevent users from modifying these registry keys (reference: \u003ccode\u003eRegistry.registry_path\u003c/code\u003e and \u003ccode\u003eRegistry.registry_value_data\u003c/code\u003e in the Sigma rule).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-disable-app-install-control/","summary":"Attackers modify the Windows Registry to disable Windows Defender SmartScreen App Install Control, potentially allowing the installation of malicious web-based applications without restrictions, leading to system compromise and sensitive information exposure.","title":"Windows Defender SmartScreen App Install Control Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-app-install-control/"}],"language":"en","title":"CraftedSignal Threat Feed — Windows Defender SmartScreen App Install Control","version":"https://jsonfeed.org/version/1.1"}