+ All Categories
Home > Documents > AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code...

AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code...

Date post: 06-Aug-2020
Category:

Documents
Upload: others
View: 0 times
Download: 0 times
Download Report this document
Share this document with a friend
25
1
Transcript
Page 1: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer

1

Page 2: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer

2

Page 3: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer

3

Page 4: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer

4

Page 5: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer

5

Page 6: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer

https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx https://blogs.technet.microsoft.com/poshchap/2015/10/16/security-focus-defending-powershell-with-the-anti-malware-scan-interface-amsi/ https://blogs.technet.microsoft.com/mmpc/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/

6

Page 7: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer

7

Page 8: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer

https://github.com/Ben0xA/nps

8

Page 9: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer

All demonstrations on 64-bit Windows 10 build 10586

9

Page 10: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer

10

Page 11: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer

PowerShell code and scripts can be executed without using PowerShell.exe. Please see: https://github.com/leechristensen/UnmanagedPowerShell https://github.com/Ben0xA/nps https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick Interesting methods to bypass Application whitelisting http://subt0x10.blogspot.in/2016/04/bypass-application-whitelisting-script.html http://subt0x10.blogspot.in/2015/08/application-whitelisting-bypasses-101.html https://raw.githubusercontent.com/subTee/ApplicationWhitelistBypassTechniques/master/TheList.txt http://www.labofapenetrationtester.com/2016/05/practical-use-of-javascript-and-com-for-pentesting.html

11

Page 12: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer

12

Page 13: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer

13

Page 14: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer

14

Page 15: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer

15

Page 16: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer

16

Page 17: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer

17

Page 18: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer

18

Page 19: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer

19

Page 20: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer

Source: https://twitter.com/mattifestation/status/735261176745988096

20

Page 21: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer

Source: http://cn33liz.blogspot.com/2016/05/bypassing-amsi-using-powershell-5-dll.html

21

Page 22: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer

22

Page 23: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer

23

Page 24: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer

24

Page 25: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer

25


Recommended
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It

AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It

Technology

Abstract - AMSI

Abstract - AMSI

Documents

AMSI CHOOSE MATHS RESEARCHamsi.org.au/wp-content/uploads/2018/01/amsi-cm-gender-report-2017...AMSI CHOOSE MATHS RESEARCH [ No2 - 2017 ] ... the Choose Maths project is working to build

AMSI CHOOSE MATHS RESEARCHamsi.org.au/wp-content/uploads/2018/01/amsi-cm-gender-report-2017...AMSI CHOOSE MATHS RESEARCH [ No2 - 2017 ] ... the Choose Maths project is working to build

Documents

AMSI Schools Celebrate the UAE’s 44 th National Day and ...media.amsi.ae/documents/amsi/newsletters/2015-2016/01122016_… · December 2015 - Issue #16 Email: info@amsi.ae Tel:

AMSI Schools Celebrate the UAE’s 44 th National Day and ...media.amsi.ae/documents/amsi/newsletters/2015-2016/01122016_… · December 2015 - Issue #16 Email: [email protected] Tel:

Documents

AMSI CHOOSE MATHS RESEARCHamsi.org.au/media/AMSI-CM-Gender-report-2017.pdfAMSI CHOOSE MATHS RESEARCH [ No2 - 2017 ] Gender Report 2017: Participation, Performance, and ... acknowledgement.

AMSI CHOOSE MATHS RESEARCHamsi.org.au/media/AMSI-CM-Gender-report-2017.pdfAMSI CHOOSE MATHS RESEARCH [ No2 - 2017 ] Gender Report 2017: Participation, Performance, and ... acknowledgement.

Documents

Association of Modern Scientific Investigation - AMSI

Association of Modern Scientific Investigation - AMSI

Documents

AMSI, Copyright 2007 Advanced Classrooms at AMSI… Emphasizing the human aspect.

AMSI, Copyright 2007 Advanced Classrooms at AMSI… Emphasizing the human aspect.

Documents

AMSI 2016 Annual Report · all-sector, all-discipline internship program, AMSI Intern. A key priority under the National Innovation and Science Agenda, this will support delivery

AMSI 2016 Annual Report · all-sector, all-discipline internship program, AMSI Intern. A key priority under the National Innovation and Science Agenda, this will support delivery

Documents

The 2012 AMSI/ANU/UQ Winter School on Geometric Partial

The 2012 AMSI/ANU/UQ Winter School on Geometric Partial

Documents

WHAT IS CHOOSE ? PAGE 3 PAGE 5 PAGE 7 - AMSI Schoolschoosemathsstudents.amsi.org.au/wp-content/uploads/... · Institute (AMSI) and the BHP Billiton Foundation. Working with students,

WHAT IS CHOOSE ? PAGE 3 PAGE 5 PAGE 7 - AMSI Schoolschoosemathsstudents.amsi.org.au/wp-content/uploads/... · Institute (AMSI) and the BHP Billiton Foundation. Working with students,

Documents

AMSI Summer Schoolamsi.org.au/wp-content/uploads/2016/10/2015-16_summerschool_re… · he AMSI Summer School is one of the key events in the calendar of the Australian mathematical

AMSI Summer Schoolamsi.org.au/wp-content/uploads/2016/10/2015-16_summerschool_re… · he AMSI Summer School is one of the key events in the calendar of the Australian mathematical

Documents

sets and venn diagrams - AMSI

sets and venn diagrams - AMSI

Documents

Simulation (AMSI Public Lecture)

Simulation (AMSI Public Lecture)

Education

Property Management Product Development Update Randy Lott Director, Development AMSI.

Property Management Product Development Update Randy Lott Director, Development AMSI.

Documents

Amsi high school

Amsi high school

Documents

AMSI User Manual Site Users - Shelby County Schools Manual.pdf · AMSI Web Application Login Enter your normal Windows User Name and Password in the AMSI Web App Login Screen. If

AMSI User Manual Site Users - Shelby County Schools Manual.pdf · AMSI Web Application Login Enter your normal Windows User Name and Password in the AMSI Web App Login Screen. If

Documents

Session #107 - AMSI Hosting Options

Session #107 - AMSI Hosting Options

Documents

Academic/ University AMSI Intern · Industry Partner AMSI Intern PhD student Academic/ University Government ... L Mining, Energy & Natural Resourc.. . Manufacturing & Advanced Manufac..

Academic/ University AMSI Intern · Industry Partner AMSI Intern PhD student Academic/ University Government ... L Mining, Energy & Natural Resourc.. . Manufacturing & Advanced Manufac..

Documents