Attackers Use Multiple Techniques to Bypass Reputation-Based Security

Protections like Windows Smart App Control are useful but susceptible to attacks that allow threat actors initial access to an environment without triggering any alerts.

Reputation-based security controls may be less effective at protecting organizations against unsafe Web applications and content than many assume.
A new study by researchers at Elastic Security found attackers have developed several effective techniques over the past few years to bypass mechanisms that block or allow applications and content based on their reputation and trustworthiness.
The techniques include using digitally signed malware tools to make them appear legit, as well as reputation hijacking, reputation tampering, and specially crafted LNK files. Reputation-based protection systems are a powerful layer for blocking commodity malware, Elastic Security researcher Joe Desimone wrote
in a report this week
. However, like any protection technique, they have weaknesses that can be bypassed with some care.
For the study, the researchers used Microsoft Windows Smart App Control (SAC) and SmartScreen technologies as examples of a reputation-based mechanism for which attackers have developed bypasses.
SmartScreen is a feature
that Microsoft introduced with Windows 8 to protect users against malicious website applications and file downloads. It verifies whether files that have the
Mark of the Web
(MoTW) on them — or files that Windows tags as downloaded from the Internet — can be trusted.
Smart App Control
became
available with Windows 11
. It uses Microsofts threat intelligence service to determine if an application is trustworthy enough to run or not. If the threat intelligence is unable to determine an apps trustworthiness, SAC verifies if the app is digitally signed before allowing it to run.
The researchers at Elastic Security discovered that attackers have multiple ways around these protections.
One common way that attackers have used as a way around Smart App Control is by signing their malware with an extended validation (EV) SSL certificate, Elastic Security said. Though certificate authorities require proof of identity before they issue an EV to a requesting entity, threat actors have found ways to address this requirement by impersonating legitimate businesses. In other instances, they have used specially crafted and invalid code signing signatures to JavaScript and MSI files to bypass MoTW checks. For the past six years at least, attackers have also abused a weakness in how Windows handles shortcut files (LNK) to essentially strip the MoTW from malicious LNK files and sneak them past SmartScreen said Elastic Security, which has dubbed the tactic LNK Stomping.
Reputation hijacking — where an attacker exploits the good reputation of trusted applications, websites and other entities — is another tactic. Elastic Security found that attackers often target trusted script hosts — or programs that execute scripts — such as Lua, Node.js, and AutoHotkey for this type of attack. The bypass involves placing malicious content where the trusted script host will automatically find and execute it during its normal course. Script hosts are an ideal target for a reputation hijacking attack. This is especially true if they include a foreign function interface (FFI) capability, Desimone wrote. With FFI, attackers can easily load and execute arbitrary code and malware in memory.
Elastic Security also found attackers using a technique called reputation seeding to bypass reputation-based filtering mechanisms. For these attacks, threat actors first introduce their own seemingly benign binaries or executable files into a target system and wait for them to build up a positive reputation over time. Another variation is introducing a legit application with a known vulnerability to a target environment for later use. Smart App Control appears vulnerable to seeding, Desimone said in his report. After executing a sample on one machine, it received a good label after approximately 2 hours.
The security vendor recommends that organizations bolster their security by using behavior analysis tools to monitor for common attack tactics such as credential access, enumeration, in-memory evasion, persistence, and lateral movement.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Attackers Use Multiple Techniques to Bypass Reputation-Based Security