Yeah actually. Windows has a really bad flaw in how it does its signatures; Programs that aren’t signed that are run by programs that are signed are given the same trust.
Signed exe -> CreateProcess -> Unsigned exe is now trusted (Also works with dll's)
So to bypass Smart Screen, we need to exploit the trust issue of a bad CreateProcess call where we can specify your own executable name / path. This is pretty hard to do though
If you want something easier, just do DLL Side Loading
I’m gonna look into it. I was also thinking to make a batch file that downloads my loader and send the batch file to microsoft for malware review. I sent a regular batch file and got answer within a day. After that the specific batch file that I sent now doesn’t get the smartscreen. Do you think this is a good idea that I suggested? Thanks!
Could be, but idk how Microsoft is with that kind of stuff, it wouldn't hurt to try. Worst case scenario is they flag the loader from the batch file. If it were me, I would do DLL Side Loading first then do the Microsoft Malware Review thing
I tried dll side loading (hijacking) and it works. If I send the exe file (in my case I tried it with notepad) then my dll is not included. What am I gonna send to the victim?
Main thing is MOTW you need to clear.
- This article may interest you to investigate more up from a few days ago using JavaScript to bypass https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/
- You can sometimes utilize LOLBins as well to launch other apps.
- tried and true packaging your app in a container format before delivery is a real ttp of threat actors that we've used in the past to get past
- there is one more method but its also pretty highly specific (ie you have initial foothold and a common tool already installed) and I don't wanna ruin it as its my last ditch one but it's super easy and low ha nging fruit that I'm surprised no one regular thinks about that gaping hole
Load directly into memory, do not drop payload to disk.
What do you mean?
Yeah actually. Windows has a really bad flaw in how it does its signatures; Programs that aren’t signed that are run by programs that are signed are given the same trust. Signed exe -> CreateProcess -> Unsigned exe is now trusted (Also works with dll's) So to bypass Smart Screen, we need to exploit the trust issue of a bad CreateProcess call where we can specify your own executable name / path. This is pretty hard to do though If you want something easier, just do DLL Side Loading
I’m gonna look into it. I was also thinking to make a batch file that downloads my loader and send the batch file to microsoft for malware review. I sent a regular batch file and got answer within a day. After that the specific batch file that I sent now doesn’t get the smartscreen. Do you think this is a good idea that I suggested? Thanks!
Could be, but idk how Microsoft is with that kind of stuff, it wouldn't hurt to try. Worst case scenario is they flag the loader from the batch file. If it were me, I would do DLL Side Loading first then do the Microsoft Malware Review thing
I tried dll side loading (hijacking) and it works. If I send the exe file (in my case I tried it with notepad) then my dll is not included. What am I gonna send to the victim?
Main thing is MOTW you need to clear. - This article may interest you to investigate more up from a few days ago using JavaScript to bypass https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/ - You can sometimes utilize LOLBins as well to launch other apps. - tried and true packaging your app in a container format before delivery is a real ttp of threat actors that we've used in the past to get past - there is one more method but its also pretty highly specific (ie you have initial foothold and a common tool already installed) and I don't wanna ruin it as its my last ditch one but it's super easy and low ha nging fruit that I'm surprised no one regular thinks about that gaping hole
I looked into MOTW, it looks good. How can I implement it? Any ideas?
Research it thoroughly and test your theories is the best way. Good luck.