Bypass Record

Code-Signing Abuse × Microsoft Windows SmartScreen

A publicly-reported instance of Code-Signing Abuse bypassing Microsoft Windows SmartScreen, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows SmartScreen

Technique

Code-Signing Abuse

MITRE ATT&CK

T1553.002

Confidence

High

Severity

Medium

Status

in the wild

Disclosed

2024-04-26

Config / version noted

Not stated

Provenance

vsociety.medium.com
disclosed 2024-04-26 · original source · via exa

Reported as

CVE-2023-24880 is a zero-day vulnerability in Windows SmartScreen that allows attackers to bypass Mark of the Web (MOTW) defenses.

Mechanism

Attackers craft a malicious file (e.g., MSI) with an invalid Authenticode signature that triggers an error in SmartScreen, causing it to fail to apply MOTW-based protections. This bypasses security features like Protected View in Microsoft Office that rely on MOTW tagging.

Detection & mitigation

Monitor for files with invalid or malformed Authenticode signatures that still execute, especially MSI files downloaded from the internet. Enforce AppLocker or WDAC policies to block unsigned or invalidly signed binaries, and ensure MOTW propagation is verified by endpoint detection rules.

Code-Signing Abuse has also been recorded against

Apple DigiCert Kaseya

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.