{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/smartscreen/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","registry-modification","smartscreen"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may attempt to disable Windows SmartScreen to evade detection and deliver malware payloads. Windows SmartScreen provides a warning system against phishing and malware, so disabling it can significantly increase the risk of successful attacks. This is often done by Remote Access Trojans (RATs) to evade detection while downloading additional payloads. The technique involves modifying specific registry keys to turn off the SmartScreen feature. This allows attackers to bypass security measures designed to protect users from malicious software and phishing attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the system through unspecified means, such as exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges if necessary to gain the required permissions to modify the registry.\u003c/li\u003e\n\u003cli\u003eRegistry Modification: The attacker modifies the registry keys associated with SmartScreen to disable the protection. This includes setting the \u003ccode\u003eSmartScreenEnabled\u003c/code\u003e value under \u003ccode\u003eHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\\u003c/code\u003e or \u003ccode\u003eEnableSmartScreen\u003c/code\u003e under \u003ccode\u003eHKLM\\Microsoft\\Windows\\System\\\u003c/code\u003e to \u0026ldquo;Off\u0026rdquo; or \u0026ldquo;0\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker may establish persistence to ensure that the SmartScreen remains disabled even after a reboot.\u003c/li\u003e\n\u003cli\u003ePayload Delivery: With SmartScreen disabled, the attacker downloads and executes malicious payloads, such as malware or RATs, without triggering security warnings.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker may use the compromised system to move laterally within the network, targeting other systems and resources.\u003c/li\u003e\n\u003cli\u003eData Exfiltration: The attacker exfiltrates sensitive data from the compromised system or network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling SmartScreen can lead to a significant increase in successful malware infections and phishing attacks. Users are no longer warned about potentially malicious files or websites, making them more vulnerable to exploitation. This can result in data breaches, financial losses, and reputational damage. While specific numbers are unavailable, the impact is potentially widespread across organizations that rely on Windows SmartScreen as a security measure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor registry modifications for changes to the \u003ccode\u003eSmartScreenEnabled\u003c/code\u003e and \u003ccode\u003eEnableSmartScreen\u003c/code\u003e registry keys and values using the provided Sigma rule (\u003ccode\u003eSmartScreenDisabledViaRegistry\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 13 to collect registry modification events, which are necessary for the Sigma rule to function (\u003ccode\u003eSmartScreenDisabledViaRegistry\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of SmartScreen being disabled to determine if the activity is malicious.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to prevent unauthorized users from modifying registry settings.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit registry settings to ensure that SmartScreen is enabled and functioning correctly.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-disable-smartscreen/","summary":"Attackers disable Windows SmartScreen protection by modifying specific registry keys to evade detection and facilitate malware deployment.","title":"Windows SmartScreen Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-smartscreen/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Edge","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","registry-modification","smartscreen"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on a technique used to impair Windows Defender SmartScreen protection by modifying specific registry settings. The attack involves altering the \u0026ldquo;PreventSmartScreenPromptOverride\u0026rdquo; registry value to allow users to bypass SmartScreen warnings. This manipulation effectively disables a key security control, making systems more vulnerable to malware and phishing attacks. While specific threat actors are not attributed in the source, the technique is a common tactic used by various threat actors to weaken defenses before or during an attack. This technique has been observed as recently as January 2024. This matters to defenders because SmartScreen is a critical defense against drive-by downloads and malicious websites. Disabling it greatly increases the attack surface.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the system through unspecified means (e.g., compromised credentials or exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (if needed):\u003c/strong\u003e The attacker may need to escalate privileges to modify the registry.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRegistry Modification:\u003c/strong\u003e The attacker modifies the registry value at \u003ccode\u003eHKLM\\Software\\Policies\\Microsoft\\Edge\\PreventSmartScreenPromptOverride\u003c/code\u003e or \u003ccode\u003eHKCU\\Software\\Policies\\Microsoft\\Edge\\PreventSmartScreenPromptOverride\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSetting Value to 0:\u003c/strong\u003e The attacker sets the \u003ccode\u003ePreventSmartScreenPromptOverride\u003c/code\u003e value to \u003ccode\u003e0x00000000\u003c/code\u003e, effectively disabling the prompt override prevention.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSmartScreen Weakening:\u003c/strong\u003e With the registry change in place, SmartScreen prompt overrides are allowed, reducing the effectiveness of the security feature.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUser Interaction:\u003c/strong\u003e The attacker relies on user interaction (e.g., clicking a malicious link or opening a malicious file) to execute harmful content.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalware Execution:\u003c/strong\u003e The user bypasses the SmartScreen warning, leading to the execution of malware or malicious code.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSystem Compromise:\u003c/strong\u003e The executed malware compromises the system, potentially leading to data theft, further exploitation, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of a successful SmartScreen override can be significant. Systems become more vulnerable to malware and phishing attacks, potentially leading to widespread infections, data breaches, and financial losses. While the exact number of victims is unknown, any system where this registry modification occurs is at increased risk. This technique is particularly effective in organizations with less security awareness or where users may be more prone to bypassing security warnings.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon EventID 13 logging to monitor registry modifications as indicated by the \u003ccode\u003edata_source\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SmartScreen Prompt Override\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor changes to the \u003ccode\u003ePreventSmartScreenPromptOverride\u003c/code\u003e registry setting specifically using the \u003ccode\u003eregistry_path\u003c/code\u003e field in the provided search query.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule to determine if the registry modification is malicious based on the \u003ccode\u003edescription\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-smartscreen-override/","summary":"Attackers modify the Windows registry to disable SmartScreen prompt overrides, potentially allowing users to bypass security warnings and execute harmful content, leading to system compromise.","title":"Windows Defender SmartScreen Prompt Override via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-smartscreen-override/"}],"language":"en","title":"CraftedSignal Threat Feed — Smartscreen","version":"https://jsonfeed.org/version/1.1"}