AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It

Hacker
Aug. 10, 2016
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
1 of 26

More Related Content

What's hot

Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationJustin Bui

Similar to AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It

MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...Chris Thompson
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPERPScan
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Nuno Loureiro
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Rightenigma0x3
Tips for Developing and Testing IBM HATS ApplicationsTips for Developing and Testing IBM HATS Applications
Tips for Developing and Testing IBM HATS ApplicationsStrongback Consulting
Breaking Bad CSPBreaking Bad CSP
Breaking Bad CSPLukas Weichselbaum

Similar to AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It(20)

More from Nikhil Mittal

0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersNikhil Mittal
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsNikhil Mittal
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShellNikhil Mittal
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossNikhil Mittal
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shellNikhil Mittal

Recently uploaded

Product Listing Presentation_Cathy.pptxProduct Listing Presentation_Cathy.pptx
Product Listing Presentation_Cathy.pptxCatarinaTorrenuevaMa
Webhook Testing StrategyWebhook Testing Strategy
Webhook Testing StrategyDimpy Adhikary
Machine learning with quantum computersMachine learning with quantum computers
Machine learning with quantum computersSpeck&Tech
Google Cloud Study Jams Info SessionGoogle Cloud Study Jams Info Session
Google Cloud Study Jams Info SessionGDSCPCCE
Need for Speed: Removing speed bumps in API ProjectsNeed for Speed: Removing speed bumps in API Projects
Need for Speed: Removing speed bumps in API ProjectsŁukasz Chruściel
Getting your enterprise ready for Microsoft 365 CopilotGetting your enterprise ready for Microsoft 365 Copilot
Getting your enterprise ready for Microsoft 365 CopilotVignesh Ganesan I Microsoft MVP

Recently uploaded(20)

AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It

Editor's Notes

  1. https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx https://blogs.technet.microsoft.com/poshchap/2015/10/16/security-focus-defending-powershell-with-the-anti-malware-scan-interface-amsi/ https://blogs.technet.microsoft.com/mmpc/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/
  2. https://github.com/Ben0xA/nps
  3. All demonstrations on 64-bit Windows 10 build 10586
  4. PowerShell code and scripts can be executed without using PowerShell.exe. Please see: https://github.com/leechristensen/UnmanagedPowerShell https://github.com/Ben0xA/nps https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick Interesting methods to bypass Application whitelisting http://subt0x10.blogspot.in/2016/04/bypass-application-whitelisting-script.html http://subt0x10.blogspot.in/2015/08/application-whitelisting-bypasses-101.html https://raw.githubusercontent.com/subTee/ApplicationWhitelistBypassTechniques/master/TheList.txt http://www.labofapenetrationtester.com/2016/05/practical-use-of-javascript-and-com-for-pentesting.html
  5. Source: https://twitter.com/mattifestation/status/735261176745988096
  6. Source: http://cn33liz.blogspot.com/2016/05/bypassing-amsi-using-powershell-5-dll.html