Bypass Record
Code-Signing Abuse × Microsoft Windows Smart App Control
A publicly-reported instance of Code-Signing Abuse bypassing Microsoft Windows Smart App Control, recorded with its original source. Factual record; no assessment of any specific deployment.
Mechanism
Attackers bypass Smart App Control by exploiting design weaknesses in reputation-based systems: (1) signing malware with fraudulently obtained Extended Validation (EV) code-signing certificates; (2) reputation hijacking—repurposing trusted applications (e.g., script hosts with foreign function interfaces) that load attacker-controlled code from predictable paths without command-line parameters; (3) reputation seeding—submitting crafted binaries that appear benign and later activate malicious behavior after gaining a good reputation. A bug in LNK file handling also bypasses these controls.
Detection & mitigation
Monitor for binaries signed with newly issued or unusual EV certificates, especially those from unfamiliar CAs or with short validity periods. Enforce AppLocker or WDAC policies to restrict execution to trusted publishers and paths, and audit LNK file parsing anomalies via Windows Event ID 4688 and Sysmon Event 1 for suspicious process chains.
This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.