Presentation Material
Abstract
In Windows 10, Microsoft introduced the AntiMalware Scan Interface (AMSI), which is designed to target script based attacks and malware. Script based attacks have been lethal for enterprise security and with the advent of PowerShell, such attacks have become increasingly common.
AMSI targets malicious scripts written in PowerShell, VBScript, JScript, etc. It drastically improves detection and the blocking rate of malicious scripts. When a piece of code is submitted for execution to the scripting host, AMSI steps in and scans the code for malicious content. What makes AMSI effective is that no matter how obfuscated the code is, it needs to be presented to the script host in clear text and unobfuscated. Moreover, since the code is submitted to AMSI just before execution, it doesn’t matter if the code comes from disk, memory or was entered interactively. AMSI is an open interface and MS says any application will be able to call its APIs. Currently Windows Defender uses it on Windows 10.
Has Microsoft finally killed script-based attacks? Or are there even ways to bypass AMSI?
The talk will be full of live demonstrations.
AI Generated Summarymay contain errors
Here is a summary of the content:
The speaker demonstrates a client-side attack on a Windows 10 machine with Microsoft Defender (MG) turned on. The attack involves a malicious attachment that, when opened by a client, pulls down a PowerShell script from a Kali box and executes it in memory without any detection or pop-ups. The speaker notes that this is possible because MG is not a silver bullet and can be bypassed.
The speaker also discusses the benefits of using PowerShell version 5, which has improved logging capabilities, including auto-logging of suspicious scripts. They suggest that defenders should encourage attackers to use PowerShell, as it leaves behind a fingerprint and logs activity.
In response to audience questions, the speaker notes that Microsoft may not prioritize fixing bypasses of MG, as it is not considered a security boundary. However, they suggest that running Windows 10 with MG turned on can provide some protection. Additionally, they recommend using Windows Management Framework (WMF) 5, which includes PowerShell version 5, to enable auto-logging and improve defenses.
Finally, the speaker notes that it is possible to lock down plain text PowerShell scripts executed over MG by enabling universal transcript logging or process logging for specific executables like PowerShell and cmd.exe.