Successfully reported this slideshow.

AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It

7

Share

Aug. 10, 2016
7 likes 43,651 views
Upcoming SlideShare
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Loading in …3
×
1 of 26
1 of 26

AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It

Aug. 10, 2016
7 likes 43,651 views

7

Share

Download to read offline

Technology

The talk I gave at Black Hat USA 2016 on Anti Malware Scan Interface. The talk looks at what good AMSI brings to Windows 10 and various methods of avoiding/bypassing it.

The talk I gave at Black Hat USA 2016 on Anti Malware Scan Interface. The talk looks at what good AMSI brings to Windows 10 and various methods of avoiding/bypassing it.

Technology

Recommended

More Related Content

Viewers also liked

Client side attacks using PowerShell
Nikhil Mittal
PowerShell for Penetration Testers
Nikhil Mittal
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
The Unintended Risks of Trusting Active Directory
Will Schroeder
Defending Your "Gold"
Will Schroeder
More fun using Kautilya
Nikhil Mittal
Owning windows 8 with human interface devices
Nikhil Mittal
PSConfEU - Building an Empire with PowerShell
Will Schroeder
Lateral Movement with PowerShell
kieranjacobsen
Secure360 - Extracting Password from Windows
Scott Sutherland
Ace Up the Sleeve
Will Schroeder
SANS DFIR Prague: PowerShell & WMI
Joe Slowik
ColdFusion for Penetration Testers
Chris Gates
Continuous intrusion: Why CI tools are an attacker’s best friends
Nikhil Mittal
The Travelling Pentester: Diaries of the Shortest Path to Compromise
Will Schroeder
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Daniel Bohannon
Kautilya: Teensy beyond shell
Nikhil Mittal
An Introduction to PowerShell for Security Assessments
EnclaveSecurity
Get-Help: An intro to PowerShell and how to Use it for Evil
jaredhaight

Similar to AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It

DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Felipe Prado
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Felipe Prado
The Dark Side of PowerShell by George Dobrea
EC-Council
Project in malware analysis:C2C
Fabrizio Farinacci
Higher Level Malware
CTruncer
Securing Apache Web Servers
Information Technology
Introduction To Ethical Hacking
Raghav Bisht
PowerShell: From Attackers' to Defenders' Perspective
CrystalTan31
Adversarial Post Ex - Lessons from the Pros
sixdub
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Neel Pathak
Fileless Malware Infections
Ramon
DEFCON 23 - ionut popescu - net ripper
Felipe Prado
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
CODE BLUE
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
midnite_runr
Ilomo Clampi Botnet Aug2009
Trend Micro
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
Web Application Security: Introduction to common classes of security flaws an...
Thoughtworks
Un) fucking forensics
Shane Macaulay
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
egypt
Basic Dynamic Analysis of Malware
Natraj G

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
The Future Is Faster Than You Think: How Converging Technologies Are Transforming Business, Industries, and Our Lives Peter H. Diamandis
(4.5/5)
Free
SAM: One Robot, a Dozen Engineers, and the Race to Revolutionize the Way We Build Jonathan Waldman
(5/5)
Free
From Gutenberg to Google: The History of Our Future Tom Wheeler
(3.5/5)
Free
Talk to Me: How Voice Computing Will Transform the Way We Live, Work, and Think James Vlahos
(4/5)
Free
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community That Will Listen Kristen Meinzer
(3.5/5)
Free
Bezonomics: How Amazon Is Changing Our Lives and What the World's Best Companies Are Learning from It Brian Dumaine
(4/5)
Free
No Filter: The Inside Story of Instagram Sarah Frier
(4.5/5)
Free
Autonomy: The Quest to Build the Driverless Car—And How It Will Reshape Our World Lawrence D. Burns
(5/5)
Free
Future Presence: How Virtual Reality Is Changing Human Connection, Intimacy, and the Limits of Ordinary Life Peter Rubin
(4/5)
Free
Live Work Work Work Die: A Journey into the Savage Heart of Silicon Valley Corey Pein
(4.5/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
Life After Google: The Fall of Big Data and the Rise of the Blockchain Economy George Gilder
(4/5)
Free
System Identification: Tutorials Presented at the 5th IFAC Symposium on Identification and System Parameter Estimation, F.R. Germany, September 1979 Elsevier Books Reference
(4/5)
Free
Energy Conservation in Buildings: The Achievement of 50% Energy Saving: An Environmental Challenge? Elsevier Books Reference
(4/5)
Free
Longitude: The True Story of a Lone Genius Who Solved the Greatest Scientific Problem of His Time Dava Sobel
(4/5)
Free
Young Men and Fire: Twenty-fifth Anniversary Edition Norman Maclean
(4.5/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
If Then: How the Simulmatics Corporation Invented the Future Jill Lepore
(4.5/5)
Free
A Brief History of Motion: From the Wheel, to the Car, to What Comes Next Tom Standage
(4/5)
Free
An Ugly Truth: Inside Facebook’s Battle for Domination Sheera Frenkel
(4.5/5)
Free
Spooked: The Trump Dossier, Black Cube, and the Rise of Private Spies Barry Meier
(4/5)
Free
Second Nature: Scenes from a World Remade Nathaniel Rich
(5/5)
Free
Test Gods: Virgin Galactic and the Making of a Modern Astronaut Nicholas Schmidle
(5/5)
Free
Driven: The Race to Create the Autonomous Car Alex Davies
(4.5/5)
Free
Einstein's Fridge: How the Difference Between Hot and Cold Explains the Universe Paul Sen
(4.5/5)
Free
Dignity in a Digital Age: Making Tech Work for All of Us Ro Khanna
(4/5)
Free
After Steve: How Apple Became a Trillion-Dollar Company and Lost its Soul Tripp Mickle
(4.5/5)
Free
User Friendly: How the Hidden Rules of Design Are Changing the Way We Live, Work, and Play Cliff Kuang
(4.5/5)
Free
Uncanny Valley: A Memoir Anna Wiener
(4/5)
Free
Blockchain: The Next Everything Stephen P. Williams
(4/5)
Free
Lean Out: The Truth About Women, Power, and the Workplace Marissa Orr
(4.5/5)
Free
A World Without Work: Technology, Automation, and How We Should Respond Daniel Susskind
(4.5/5)
Free
The Players Ball: A Genius, a Con Man, and the Secret History of the Internet's Rise David Kushner
(4.5/5)
Free

AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It

  1. 1. AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal
  2. 2. whoami • Twitter - @nikhil_mitt • Blog – http://labofapenetrationtester.com • Github - https://github.com/samratashok/ • Creator of Kautilya and Nishang • Penetration Tester and Trainer • Associate Consultant with NoSoSecure • Spoken/Trained at: Defcon, Blackhat, CanSecWest, Shakacon and more. 2AMSIBlack Hat US'16
  3. 3. Outline • Script based attacks • Introduction to AMSI • AMSI – Detection and Blocking capabilities • Failed attempts to avoid detection • Bypassing AMSI • Conclusion 3AMSIBlack Hat US'16
  4. 4. Script Based Attacks What? - PowerShell, VBScript, Jscript. Why? – Low rate of detection, very effective. • Already present on targets. • Used by system administrators. • Provides access to various OS and Network components. • PowerShell is future of Windows Remote Administration. • Anti Virus vendors have only recently, 2013 onwards, started to flag PowerShell scripts. 4AMSIBlack Hat US'16
  5. 5. Script Based Attacks How? – • Execute from disk • Execute from memory – encodedcommand, downloadstring, reflection. Detection is easy for scripts saved to disk. How to stop execution from memory? 5AMSIBlack Hat US'16
  6. 6. AntiMalware Scan Interface (AMSI) According to Microsoft AMSI : • Provides File, memory and stream scanning, content source URL/IP reputation checks, and other techniques. • Can be integrated in any application. • Includes additional calls for scripts that use obfuscation or layer dynamic code evaluation. • As of now (21st July 2016), Windows Defender and AVG uses it. 6AMSIBlack Hat US'16
  7. 7. AMSI Architecture Source: https://blogs.technet.microsoft.com/mmpc/2015/06/09/windows-10-to-offer-application- developers-new-malware-defenses/ 7AMSIBlack Hat US'16
  8. 8. What makes AMSI effective? AMSI tries to catch the scripts at the Scripting host level. It means: • Input method (disk, memory, interactive) doesn’t matter. • Use of System.Automation.dll (PowerShell scripts without powershell.exe) doesn’t help as well. • Less help from obfuscation. 8AMSIBlack Hat US'16
  9. 9. DEMO – AMSI Detection 9AMSIBlack Hat US'16
  10. 10. Putting AMSI to test – Unusual storage What if PowerShell scripts are loaded from unusual places like: • WMI namespaces • Registry Keys • Event logs Traditional (disk based) detection is unable to catch such scripts as the storage is rather unusual. 10AMSIBlack Hat US'16
  11. 11. Putting AMSI to test – Unusual Execution What if PowerShell scripts are executed: • Without using powershell.exe - .Net classes, separate runspace. • Reflection (Memory space of other processes) • Application whitelisting bypasses - InstallUtil, regsrv32, rundll32 11AMSIBlack Hat US'16
  12. 12. DEMO – Putting AMSI to test – Unusual Execution 12AMSIBlack Hat US'16
  13. 13. Is it all gloom and doom for Red Teams? Bypass and/or avoid AMSI • Use PowerShell version 2 (needs .Net 3.0 which is not present in a default Windows 10) • Significantly change the signature of your scripts – limited effectiveness • Disable AMSI 13AMSIBlack Hat US'16
  14. 14. Bypass or avoid AMSI Signature bypass • Obfuscation • Not really hard to bypass AMSI using this. 1. Remove help section 2. Obfuscate function and variable names 3. Encode parts of script 4. Profit • Obfuscation functionality in ISESteroids Module – Fast and very effective at the time of writing. 14AMSIBlack Hat US'16
  15. 15. Bypass or avoid AMSI Signature bypass 15AMSIBlack Hat US'16
  16. 16. Unload AMSI • Set-MpPreference • Unload from current process – Matt’s method • P0wnedshell 16AMSIBlack Hat US'16
  17. 17. Bypass or avoid AMSI Set-MpPreference • Handy PowerShell cmdlet to play with Windows Defender. Set-MpPreference – DisableRealtimeMonitoring $True 17AMSIBlack Hat US'16
  18. 18. Bypass or avoid AMSI Set-MpPreference • Shows a notification to the user • Needs elevated privileges (not much headache in a post- exploitation scenario) • Event ID 5001 (Microsoft-Windows-Windows Defender/Operational) - Windows Defender Real-Time Protection was disabled. 18AMSIBlack Hat US'16
  19. 19. Bypass or avoid AMSI Set-MpPreference • To target AMSI: Set-MpPreference –DisableIOAVProtection $True 19AMSIBlack Hat US'16
  20. 20. Bypass or avoid AMSI Set-MpPreference • Doesn’t show any notification to the user • Needs elevated privileges • Event ID 5004 (Microsoft-Windows-Windows Defender/Operational) - Windows Defender Real-Time Protection feature (IE Downloads and Outlook Express attachments) configuration has changed. 20AMSIBlack Hat US'16
  21. 21. Bypass or avoid AMSI Unloading AMSI • A one line AMSI bypass from Matt Graeber (screenshot) (@mattifestation) [Ref].Assembly.GetType('System.Management.Aut omation.AmsiUtils').GetField('amsiInitFailed' ,'NonPublic,Static').SetValue($null,$true) • Unload AMSI from current process. • No need of elevated privileges • Event ID 4104 (Microsoft-Windows-PowerShell/Operational) – Suspicious script block logging • Bypass the automatic logging? 21AMSIBlack Hat US'16
  22. 22. Bypass or avoid AMSI Unloading AMSI • A method discovered by Cornelis de Plaa (@Cneelis) • Implemented in p0wnedshell (https://github.com/Cn33liz/p0wnedShell) • Drop amsi.dll in the current working directory while loading the p0wnedshell runspace. The dll is loaded by the runspace and exits immediately to unload AMSI. • Event ID 4104 (Microsoft-Windows- PowerShell/Operational) – Suspicious script block logging (due to successful loading of scripts in memory) • Bypass the automatic logging? 22AMSIBlack Hat US'16
  23. 23. Demo – Bypassing AMSI using a Client Side Attack 23AMSIBlack Hat US'16 Image source: http://goo.gl/CmZbmL
  24. 24. WMF5 Auto Logging • Hard to execute a PowerShell attack without generating logs. • Apparently, Obfuscation boils down to bypass the logging. • Who is monitoring the logs? 24AMSIBlack Hat US'16
  25. 25. Black Hat Sound Bytes • AMSI is a big step forward towards blocking script based attacks in Windows. • It is possible to avoid AMSI using already known methods and techniques. • AMSI is useful only when used with other security methods. Monitor the logs! 25AMSIBlack Hat US'16
  26. 26. Thank You • Questions? • Please provide feedback. • Follow me @nikhil_mitt • nikhil.uitrgpv@gmail.com • http://www.labofapenetrationtester.com/2016/08/ amsi.html • https://github.com/samratashok/AMSI 26AMSIBlack Hat US'16

Editor's Notes

  • https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx
    https://blogs.technet.microsoft.com/poshchap/2015/10/16/security-focus-defending-powershell-with-the-anti-malware-scan-interface-amsi/
    https://blogs.technet.microsoft.com/mmpc/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/
  • https://github.com/Ben0xA/nps
  • All demonstrations on 64-bit Windows 10 build 10586
  • PowerShell code and scripts can be executed without using PowerShell.exe. Please see:
    https://github.com/leechristensen/UnmanagedPowerShell
    https://github.com/Ben0xA/nps
    https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick

    Interesting methods to bypass Application whitelisting
    http://subt0x10.blogspot.in/2016/04/bypass-application-whitelisting-script.html
    http://subt0x10.blogspot.in/2015/08/application-whitelisting-bypasses-101.html
    https://raw.githubusercontent.com/subTee/ApplicationWhitelistBypassTechniques/master/TheList.txt
    http://www.labofapenetrationtester.com/2016/05/practical-use-of-javascript-and-com-for-pentesting.html
  • Source: https://twitter.com/mattifestation/status/735261176745988096
  • Source: http://cn33liz.blogspot.com/2016/05/bypassing-amsi-using-powershell-5-dll.html

    • ×