https://feed.craftedsignal.io/tags/smartscreen/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-disable-smartscreen/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-disable-smartscreen/Attackers disable Windows SmartScreen protection by modifying specific registry keys to evade detection and facilitate malware deployment.Attackers may attempt to disable Windows SmartScreen to evade detection and deliver malware payloads. Windows SmartScreen provides a warning system against phishing and malware, so disabling it can significantly increase the risk of successful attacks. This is often done by Remote Access Trojans (RATs) to evade detection while downloading additional payloads. The technique involves modifying specific registry keys to turn off the SmartScreen feature. This allows attackers to bypass security measures designed to protect users from malicious software and phishing attempts.

Attack Chain

1. Initial Access: The attacker gains initial access to the system through unspecified means, such as exploiting a vulnerability or using stolen credentials.
2. Privilege Escalation: The attacker escalates privileges if necessary to gain the required permissions to modify the registry.
3. Registry Modification: The attacker modifies the registry keys associated with SmartScreen to disable the protection. This includes setting the SmartScreenEnabled value under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ or EnableSmartScreen under HKLM\Microsoft\Windows\System\ to “Off” or “0”.
4. Persistence: The attacker may establish persistence to ensure that the SmartScreen remains disabled even after a reboot.
5. Payload Delivery: With SmartScreen disabled, the attacker downloads and executes malicious payloads, such as malware or RATs, without triggering security warnings.
6. Lateral Movement: The attacker may use the compromised system to move laterally within the network, targeting other systems and resources.
7. Data Exfiltration: The attacker exfiltrates sensitive data from the compromised system or network.

Impact

Disabling SmartScreen can lead to a significant increase in successful malware infections and phishing attacks. Users are no longer warned about potentially malicious files or websites, making them more vulnerable to exploitation. This can result in data breaches, financial losses, and reputational damage. While specific numbers are unavailable, the impact is potentially widespread across organizations that rely on Windows SmartScreen as a security measure.

Recommendation

• Monitor registry modifications for changes to the SmartScreenEnabled and EnableSmartScreen registry keys and values using the provided Sigma rule (SmartScreenDisabledViaRegistry).
• Enable Sysmon Event ID 13 to collect registry modification events, which are necessary for the Sigma rule to function (SmartScreenDisabledViaRegistry).
• Investigate any detected instances of SmartScreen being disabled to determine if the activity is malicious.
• Implement strict access controls to prevent unauthorized users from modifying registry settings.
• Regularly review and audit registry settings to ensure that SmartScreen is enabled and functioning correctly.
• Deploy the Sigma rule in this brief to your SIEM and tune for your environment.

]]>highadvisorydefense-evasionregistry-modificationsmartscreenhttps://feed.craftedsignal.io/briefs/2024-01-smartscreen-override/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-smartscreen-override/Attackers modify the Windows registry to disable SmartScreen prompt overrides, potentially allowing users to bypass security warnings and execute harmful content, leading to system compromise.This threat brief focuses on a technique used to impair Windows Defender SmartScreen protection by modifying specific registry settings. The attack involves altering the “PreventSmartScreenPromptOverride” registry value to allow users to bypass SmartScreen warnings. This manipulation effectively disables a key security control, making systems more vulnerable to malware and phishing attacks. While specific threat actors are not attributed in the source, the technique is a common tactic used by various threat actors to weaken defenses before or during an attack. This technique has been observed as recently as January 2024. This matters to defenders because SmartScreen is a critical defense against drive-by downloads and malicious websites. Disabling it greatly increases the attack surface.

Attack Chain

1. Initial Access: The attacker gains initial access to the system through unspecified means (e.g., compromised credentials or exploitation of a vulnerability).
2. Privilege Escalation (if needed): The attacker may need to escalate privileges to modify the registry.
3. Registry Modification: The attacker modifies the registry value at HKLM\Software\Policies\Microsoft\Edge\PreventSmartScreenPromptOverride or HKCU\Software\Policies\Microsoft\Edge\PreventSmartScreenPromptOverride.
4. Setting Value to 0: The attacker sets the PreventSmartScreenPromptOverride value to 0x00000000, effectively disabling the prompt override prevention.
5. SmartScreen Weakening: With the registry change in place, SmartScreen prompt overrides are allowed, reducing the effectiveness of the security feature.
6. User Interaction: The attacker relies on user interaction (e.g., clicking a malicious link or opening a malicious file) to execute harmful content.
7. Malware Execution: The user bypasses the SmartScreen warning, leading to the execution of malware or malicious code.
8. System Compromise: The executed malware compromises the system, potentially leading to data theft, further exploitation, or other malicious activities.

Impact

The impact of a successful SmartScreen override can be significant. Systems become more vulnerable to malware and phishing attacks, potentially leading to widespread infections, data breaches, and financial losses. While the exact number of victims is unknown, any system where this registry modification occurs is at increased risk. This technique is particularly effective in organizations with less security awareness or where users may be more prone to bypassing security warnings.

Recommendation

• Enable Sysmon EventID 13 logging to monitor registry modifications as indicated by the data_source field.
• Deploy the Sigma rule Detect SmartScreen Prompt Override to your SIEM and tune for your environment.
• Monitor changes to the PreventSmartScreenPromptOverride registry setting specifically using the registry_path field in the provided search query.
• Investigate any alerts triggered by the Sigma rule to determine if the registry modification is malicious based on the description.

]]>highadvisorydefense-evasionregistry-modificationsmartscreen