Summary:
Reputation-based security controls may not be as effective as commonly assumed in protecting organizations against unsafe web applications and content, according to a new study by Elastic Security. Researchers have identified several techniques attackers use to bypass these mechanisms, which rely on the reputation and trustworthiness of applications and content. The study highlights that attackers have developed methods such as using digitally signed malware tools, reputation hijacking, reputation tampering, and specially crafted LNK files to evade security.


The study specifically points out weaknesses in Microsoft's Windows Smart App Control and SmartScreen technologies. These tools, which check application trustworthiness based on reputation, have been found vulnerable to bypass techniques. For example, attackers exploit a weakness in Windows shortcut files (LNK) to remove the Mark of the Web and sneak past SmartScreen protections, a tactic known as "LNK Stomping." Additionally, attackers use reputation hijacking by exploiting trusted script hosts like Lua, Node.js, and AutoHotkey to execute malicious content.


Security Officer Comments:
Another method identified is reputation seeding, where attackers introduce benign files to build a positive reputation over time or use legitimate applications with known vulnerabilities for future attacks. This method can make tools like Smart App Control vulnerable, as seen when a benign sample received a positive label after a short period.

Suggested Corrections:
To counter these threats, Elastic Security advises organizations to bolster their security by using behavior analysis tools. These tools can monitor for common attack tactics such as credential access, enumeration, in-memory evasion, persistence, and lateral movement, providing an additional layer of protection against sophisticated bypass techniques.


Link(s):
https://www.darkreading.com/applica...echniques-to-bypass-reputation-based-security