I am not so sure about it, in many cases a drive by attack can gently ignore both UAC and Smartscreen. Both malware file and the shortcut can be dropped to the User Space (no copy alert) without 'Mark of the Web' (no Smartscreen check on the run), and executed without elevation (no UAC alert). Thanks to Microsoft, SRP will stop direct malware execution, but sadly, not indirect execution by the shortcut.
It is also interesting, that after copying the same shortcut to the System Space (for example C:\Windows) above trick does not work.
I would like the missing option in SRP to whitelist shortcuts by hash.
By the way, using SRP with something like Voodoo Shield may be a good idea.
My reply to your question was not correct, it should be:
Almost anywhere (except whitelisted folders).
A Smartscreen and UAC bypass can only happen if the malware is executed. The whole purpose of software restriction policies are to block the execution in the first place. For a file to execute the user launched it with either the SRPs disabled, the SRP configuration allows the launch, and\or there is a bug\vulnerability. The most common scenario are the first two - with the last one a rarity.
AppLocker if properly configured will block all high-risk file\process executions - even malicious *.lnk (shortcut) with arguments that download and drop files to writeable directories can be effectively handled. Simply create policies that block the launch of executable files from writeable directories susceptible to malicious *.lnk attacks. Using an understanding of Windows and malware behaviors you can bolster AppLocker's basic configuration.
Last edited by a moderator: