bleepingcomputer[.]com/news/microsoft/windows-smart-app-control-smartscreen-bypass-exploited-since-2018/
learn.microsoft[.]com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/
support.microsoft[.]com/en-us/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003
Windows Smart Screen in Win10, and Smart App Control in Win11, are basically window dressing to impress the naive with Windows builtin security, warning users before they run or open a file that may be questionable. And it's trivial to bypass, avoiding the warning.
As Elastic Security Labs discovered, a bug in the handling of LNK files (dubbed LNK stomping), can help threat actors bypass Smart App Control security controls designed to block untrusted applications.LNK stomping involves creating LNK files with non-standard target paths or internal structures. When a user clicks on such a file, explorer.exe automatically modifies the LNK files to use the correct canonical formatting.
However, this also removes the MotW (Mark of the Web) label from downloaded files, which Windows security features use to trigger a security check.
To exploit this design flaw, one can append a dot or space to the target executable path (for instance, after a binary's extension like "powershell.exe.") or create an LNK file containing a relative path, such as ".\target.exe".
When the user clicks the link, Windows Explorer will look for and identify the matching .exe name, correct the full path, remove the MotW by updating the file on disk, and launch the executable.
Elastic Security Labs believes this weakness has been abused in the wild for years, given that it found multiple samples in VirusTotal designed to exploit it, the oldest of which was submitted more than six years ago.