Listen to this Post
SmartScreen, Windows’ built-in security feature, not only blocks malicious files via Mark of the Web (MoTW) but also logs user interactions—if enabled. These logs provide forensic investigators with critical data, including file paths, user SIDs, and MoTW status.
Enabling SmartScreen Debug Logs
To activate SmartScreen event logging, run:
wevtutil sl Microsoft-Windows-SmartScreen/Debug /e:true
This command enables debug-level logging for SmartScreen interactions.
Key Data Captured
- File Path: Full path of executed files/documents.
- User SID: Identifies the user interacting with the file.
- File Size: Helps correlate with suspicious binaries.
- MoTW Status: Flags files downloaded from the internet.
For a deeper dive, refer to Hack The Box’s blog: SmartScreen Forensics.
You Should Know: Forensic Commands & Techniques
1. Query SmartScreen Logs
Extract events using PowerShell:
Get-WinEvent -LogName "Microsoft-Windows-SmartScreen/Debug" | Format-List
2. Export Logs for Analysis
Save logs to a CSV:
Get-WinEvent -LogName "Microsoft-Windows-SmartScreen/Debug" | Export-CSV "Smartscreen_Logs.csv" -NoTypeInformation
3. Check MoTW on Suspicious Files
Verify if a file has MoTW (Zone.Identifier):
more < "C:\Path\to\file.exe:Zone.Identifier"
4. Monitor Real-Time SmartScreen Events
Use `Event Viewer` or this PowerShell snippet:
Get-WinEvent -LogName "Microsoft-Windows-SmartScreen/Debug" -MaxEvents 10 -Wait
5. Cross-Reference with Process Execution
Combine with Sysmon logs (Event ID 1) to trace execution chains:
Get-WinEvent -FilterHashtable @{LogName="Microsoft-Windows-Sysmon/Operational"; ID=1} | Where-Object { $_.Message -match "file.exe" }
6. Disable MoTW Bypass Techniques
Attackers often strip MoTW. Detect this via:
dir /R .exe Look for missing Zone.Identifier streams
What Undercode Say
SmartScreen logs are a goldmine for DFIR teams, but their reliability varies across Windows versions. Always correlate with other artifacts like:
– Prefetch: `C:\Windows\Prefetch`
– Amcache: `C:\Windows\AppCompat\Programs\Amcache.hve`
– ShimCache: Check via `reg query HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache`
For advanced hunting:
Linux tools for analyzing Windows artifacts (if logs are exported) strings Amcache.hve | grep "malware.exe" volatility -f memory.dump --profile=Win10x64_19041 shimcache
Pro Tip: SmartScreen logs may miss unsigned or LOLBins. Supplement with:
Get-ChildItem -Path C:\Windows\System32.exe | Get-AuthenticodeSignature | Where-Object { $_.Status -ne "Valid" }
Expected Output:
- Enabled SmartScreen debug logs.
- Exported event data for forensic review.
- Detected MoTW bypass attempts.
- Correlated with Sysmon/execution logs.
For further reading: HTB SmartScreen Deep Dive.
References:
Reported By: Coenemichel Digitalforensics – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
