Bypass Record

Masquerading × Microsoft Defender SmartScreen

A publicly-reported instance of Masquerading bypassing Microsoft Defender SmartScreen, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender SmartScreen

Technique

Masquerading

MITRE ATT&CK

T1036

Confidence

High

Severity

High

Status

poc

Disclosed

2023-11-11

Config / version noted

Not stated

Provenance

blogs.pivotsec.in
disclosed 2023-11-11 · original source · via raw

Reported as

Windows Defender remained silent during the proof-of-concept.

Mechanism

BYOR leverages script files (.bat, .cmd, .vbs) that have established a positive reputation with SmartScreen due to age and download count. These scripts contain insecure code paths that allow sideloading of an unsigned malicious executable. Because the parent script is trusted, the spawned executable inherits that trust, bypassing MOTW and SmartScreen prompts. The technique does not require code signing or EV certificates.

Detection & mitigation

Monitor for child processes spawned from script files (.bat, .cmd, .vbs) that are not typical for that script, especially unsigned executables. Implement behavioral analytics to detect anomalous process chains originating from trusted scripts. Apply application control policies to restrict execution of unsigned binaries from script interpreters.

Masquerading has also been recorded against

Anti Cheat Expert Apple Carbon Black Cortex XDR Easy Anti-Cheat Enigma Protector Gepard Shield Mhyprot nProtect Palo Alto Networks Riot Vanguard Safegine Shielden

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.