SlideShare a Scribd company logo

AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It

Download as PPTX, PDF
Nikhil Mittal
Nikhil Mittal

The talk I gave at Black Hat USA 2016 on Anti Malware Scan Interface. The talk looks at what good AMSI brings to Windows 10 and various methods of avoiding/bypassing it.

Technology
1 of 26
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal
whoami • Twitter - @nikhil_mitt • Blog – http://labofapenetrationtester.com • Github - https://github.com/samratashok/ • Creator of Kautilya and Nishang • Penetration Tester and Trainer • Associate Consultant with NoSoSecure • Spoken/Trained at: Defcon, Blackhat, CanSecWest, Shakacon and more. 2AMSIBlack Hat US'16
Outline • Script based attacks • Introduction to AMSI • AMSI – Detection and Blocking capabilities • Failed attempts to avoid detection • Bypassing AMSI • Conclusion 3AMSIBlack Hat US'16
Script Based Attacks What? - PowerShell, VBScript, Jscript. Why? – Low rate of detection, very effective. • Already present on targets. • Used by system administrators. • Provides access to various OS and Network components. • PowerShell is future of Windows Remote Administration. • Anti Virus vendors have only recently, 2013 onwards, started to flag PowerShell scripts. 4AMSIBlack Hat US'16
Script Based Attacks How? – • Execute from disk • Execute from memory – encodedcommand, downloadstring, reflection. Detection is easy for scripts saved to disk. How to stop execution from memory? 5AMSIBlack Hat US'16
AntiMalware Scan Interface (AMSI) According to Microsoft AMSI : • Provides File, memory and stream scanning, content source URL/IP reputation checks, and other techniques. • Can be integrated in any application. • Includes additional calls for scripts that use obfuscation or layer dynamic code evaluation. • As of now (21st July 2016), Windows Defender and AVG uses it. 6AMSIBlack Hat US'16
AMSI Architecture Source: https://blogs.technet.microsoft.com/mmpc/2015/06/09/windows-10-to-offer-application- developers-new-malware-defenses/ 7AMSIBlack Hat US'16
What makes AMSI effective? AMSI tries to catch the scripts at the Scripting host level. It means: • Input method (disk, memory, interactive) doesn’t matter. • Use of System.Automation.dll (PowerShell scripts without powershell.exe) doesn’t help as well. • Less help from obfuscation. 8AMSIBlack Hat US'16
DEMO – AMSI Detection 9AMSIBlack Hat US'16
Putting AMSI to test – Unusual storage What if PowerShell scripts are loaded from unusual places like: • WMI namespaces • Registry Keys • Event logs Traditional (disk based) detection is unable to catch such scripts as the storage is rather unusual. 10AMSIBlack Hat US'16
Putting AMSI to test – Unusual Execution What if PowerShell scripts are executed: • Without using powershell.exe - .Net classes, separate runspace. • Reflection (Memory space of other processes) • Application whitelisting bypasses - InstallUtil, regsrv32, rundll32 11AMSIBlack Hat US'16
DEMO – Putting AMSI to test – Unusual Execution 12AMSIBlack Hat US'16
Is it all gloom and doom for Red Teams? Bypass and/or avoid AMSI • Use PowerShell version 2 (needs .Net 3.0 which is not present in a default Windows 10) • Significantly change the signature of your scripts – limited effectiveness • Disable AMSI 13AMSIBlack Hat US'16
Bypass or avoid AMSI Signature bypass • Obfuscation • Not really hard to bypass AMSI using this. 1. Remove help section 2. Obfuscate function and variable names 3. Encode parts of script 4. Profit • Obfuscation functionality in ISESteroids Module – Fast and very effective at the time of writing. 14AMSIBlack Hat US'16
Bypass or avoid AMSI Signature bypass 15AMSIBlack Hat US'16
Unload AMSI • Set-MpPreference • Unload from current process – Matt’s method • P0wnedshell 16AMSIBlack Hat US'16
Bypass or avoid AMSI Set-MpPreference • Handy PowerShell cmdlet to play with Windows Defender. Set-MpPreference – DisableRealtimeMonitoring $True 17AMSIBlack Hat US'16
Bypass or avoid AMSI Set-MpPreference • Shows a notification to the user • Needs elevated privileges (not much headache in a post- exploitation scenario) • Event ID 5001 (Microsoft-Windows-Windows Defender/Operational) - Windows Defender Real-Time Protection was disabled. 18AMSIBlack Hat US'16
Bypass or avoid AMSI Set-MpPreference • To target AMSI: Set-MpPreference –DisableIOAVProtection $True 19AMSIBlack Hat US'16
Bypass or avoid AMSI Set-MpPreference • Doesn’t show any notification to the user • Needs elevated privileges • Event ID 5004 (Microsoft-Windows-Windows Defender/Operational) - Windows Defender Real-Time Protection feature (IE Downloads and Outlook Express attachments) configuration has changed. 20AMSIBlack Hat US'16
Bypass or avoid AMSI Unloading AMSI • A one line AMSI bypass from Matt Graeber (screenshot) (@mattifestation) [Ref].Assembly.GetType('System.Management.Aut omation.AmsiUtils').GetField('amsiInitFailed' ,'NonPublic,Static').SetValue($null,$true) • Unload AMSI from current process. • No need of elevated privileges • Event ID 4104 (Microsoft-Windows-PowerShell/Operational) – Suspicious script block logging • Bypass the automatic logging? 21AMSIBlack Hat US'16
Bypass or avoid AMSI Unloading AMSI • A method discovered by Cornelis de Plaa (@Cneelis) • Implemented in p0wnedshell (https://github.com/Cn33liz/p0wnedShell) • Drop amsi.dll in the current working directory while loading the p0wnedshell runspace. The dll is loaded by the runspace and exits immediately to unload AMSI. • Event ID 4104 (Microsoft-Windows- PowerShell/Operational) – Suspicious script block logging (due to successful loading of scripts in memory) • Bypass the automatic logging? 22AMSIBlack Hat US'16
Demo – Bypassing AMSI using a Client Side Attack 23AMSIBlack Hat US'16 Image source: http://goo.gl/CmZbmL
WMF5 Auto Logging • Hard to execute a PowerShell attack without generating logs. • Apparently, Obfuscation boils down to bypass the logging. • Who is monitoring the logs? 24AMSIBlack Hat US'16
Black Hat Sound Bytes • AMSI is a big step forward towards blocking script based attacks in Windows. • It is possible to avoid AMSI using already known methods and techniques. • AMSI is useful only when used with other security methods. Monitor the logs! 25AMSIBlack Hat US'16
Thank You • Questions? • Please provide feedback. • Follow me @nikhil_mitt • nikhil.uitrgpv@gmail.com • http://www.labofapenetrationtester.com/2016/08/ amsi.html • https://github.com/samratashok/AMSI 26AMSIBlack Hat US'16

Recommended

PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceNikhil Mittal
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryNikhil Mittal
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellNikhil Mittal
 

Recommended

PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceNikhil Mittal
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryNikhil Mittal
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellNikhil Mittal
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill ChainPuma Security, LLC
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShellNikhil Mittal
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouDouglas Bienstock
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Ready player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOSReady player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOSCody Thomas
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMBGA Cyber Security
 
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...Chris Thompson
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPERPScan
 

More Related Content

What's hot

Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShellNikhil Mittal
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouDouglas Bienstock
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Ready player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOSReady player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOSCody Thomas
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMBGA Cyber Security
 

What's hot (20)

I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
 
Secure code
Secure codeSecure code
Secure code
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill Chain
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShell
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
 
Ready player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOSReady player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOS
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAM
 

Similar to AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It

MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...Chris Thompson
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPERPScan
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Nuno Loureiro
 
Up is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Rightenigma0x3
 
Tips for Developing and Testing IBM HATS Applications
Tips for Developing and Testing IBM HATS ApplicationsTips for Developing and Testing IBM HATS Applications
Tips for Developing and Testing IBM HATS ApplicationsStrongback Consulting
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellEnclaveSecurity
 
Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)Valeriy Kravchuk
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
OSDC 2014 Test Driven Infrastructure
OSDC 2014 Test Driven InfrastructureOSDC 2014 Test Driven Infrastructure
OSDC 2014 Test Driven InfrastructureSchlomo Schapiro
 
OSDC 2014: Schlomo Schapiro - Test Driven Infrastructure
OSDC 2014: Schlomo Schapiro - Test Driven InfrastructureOSDC 2014: Schlomo Schapiro - Test Driven Infrastructure
OSDC 2014: Schlomo Schapiro - Test Driven InfrastructureNETWAYS
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdfGabriel Mathenge
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-PillageVeilFramework
 
SAP (In)Security: New and Best
SAP (In)Security: New and BestSAP (In)Security: New and Best
SAP (In)Security: New and BestPositive Hack Days
 
How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) Dragos, Inc.
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesScott K. Larson
 
AlienVault USM Anywhere: Building a Security SaaS in AWS in Six Months
AlienVault USM Anywhere: Building a Security SaaS in AWS in Six MonthsAlienVault USM Anywhere: Building a Security SaaS in AWS in Six Months
AlienVault USM Anywhere: Building a Security SaaS in AWS in Six MonthsErnest Mueller
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptDenis Kolegov
 

Similar to AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It (20)

MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAP
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks
 
Up is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Right
 
Tips for Developing and Testing IBM HATS Applications
Tips for Developing and Testing IBM HATS ApplicationsTips for Developing and Testing IBM HATS Applications
Tips for Developing and Testing IBM HATS Applications
 
Breaking Bad CSP
Breaking Bad CSPBreaking Bad CSP
Breaking Bad CSP
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShell
 
Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
OSDC 2014 Test Driven Infrastructure
OSDC 2014 Test Driven InfrastructureOSDC 2014 Test Driven Infrastructure
OSDC 2014 Test Driven Infrastructure
 
OSDC 2014: Schlomo Schapiro - Test Driven Infrastructure
OSDC 2014: Schlomo Schapiro - Test Driven InfrastructureOSDC 2014: Schlomo Schapiro - Test Driven Infrastructure
OSDC 2014: Schlomo Schapiro - Test Driven Infrastructure
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-Pillage
 
SAP (In)Security: New and Best
SAP (In)Security: New and BestSAP (In)Security: New and Best
SAP (In)Security: New and Best
 
How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI)
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
 
Damn Simics
Damn SimicsDamn Simics
Damn Simics
 
AlienVault USM Anywhere: Building a Security SaaS in AWS in Six Months
AlienVault USM Anywhere: Building a Security SaaS in AWS in Six MonthsAlienVault USM Anywhere: Building a Security SaaS in AWS in Six Months
AlienVault USM Anywhere: Building a Security SaaS in AWS in Six Months
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
 

More from Nikhil Mittal

0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersNikhil Mittal
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsNikhil Mittal
 
Powerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossNikhil Mittal
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shellNikhil Mittal
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for EveryoneNikhil Mittal
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using KautilyaNikhil Mittal
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HIDNikhil Mittal
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devicesNikhil Mittal
 

More from Nikhil Mittal (11)

0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friends
 
Powerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a Boss
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using Kautilya
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HID
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devices
 

Recently uploaded

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Recently uploaded (20)

E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It

  • 1. AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal
  • 2. whoami • Twitter - @nikhil_mitt • Blog – http://labofapenetrationtester.com • Github - https://github.com/samratashok/ • Creator of Kautilya and Nishang • Penetration Tester and Trainer • Associate Consultant with NoSoSecure • Spoken/Trained at: Defcon, Blackhat, CanSecWest, Shakacon and more. 2AMSIBlack Hat US'16
  • 3. Outline • Script based attacks • Introduction to AMSI • AMSI – Detection and Blocking capabilities • Failed attempts to avoid detection • Bypassing AMSI • Conclusion 3AMSIBlack Hat US'16
  • 4. Script Based Attacks What? - PowerShell, VBScript, Jscript. Why? – Low rate of detection, very effective. • Already present on targets. • Used by system administrators. • Provides access to various OS and Network components. • PowerShell is future of Windows Remote Administration. • Anti Virus vendors have only recently, 2013 onwards, started to flag PowerShell scripts. 4AMSIBlack Hat US'16
  • 5. Script Based Attacks How? – • Execute from disk • Execute from memory – encodedcommand, downloadstring, reflection. Detection is easy for scripts saved to disk. How to stop execution from memory? 5AMSIBlack Hat US'16
  • 6. AntiMalware Scan Interface (AMSI) According to Microsoft AMSI : • Provides File, memory and stream scanning, content source URL/IP reputation checks, and other techniques. • Can be integrated in any application. • Includes additional calls for scripts that use obfuscation or layer dynamic code evaluation. • As of now (21st July 2016), Windows Defender and AVG uses it. 6AMSIBlack Hat US'16
  • 8. What makes AMSI effective? AMSI tries to catch the scripts at the Scripting host level. It means: • Input method (disk, memory, interactive) doesn’t matter. • Use of System.Automation.dll (PowerShell scripts without powershell.exe) doesn’t help as well. • Less help from obfuscation. 8AMSIBlack Hat US'16
  • 9. DEMO – AMSI Detection 9AMSIBlack Hat US'16
  • 10. Putting AMSI to test – Unusual storage What if PowerShell scripts are loaded from unusual places like: • WMI namespaces • Registry Keys • Event logs Traditional (disk based) detection is unable to catch such scripts as the storage is rather unusual. 10AMSIBlack Hat US'16
  • 11. Putting AMSI to test – Unusual Execution What if PowerShell scripts are executed: • Without using powershell.exe - .Net classes, separate runspace. • Reflection (Memory space of other processes) • Application whitelisting bypasses - InstallUtil, regsrv32, rundll32 11AMSIBlack Hat US'16
  • 12. DEMO – Putting AMSI to test – Unusual Execution 12AMSIBlack Hat US'16
  • 13. Is it all gloom and doom for Red Teams? Bypass and/or avoid AMSI • Use PowerShell version 2 (needs .Net 3.0 which is not present in a default Windows 10) • Significantly change the signature of your scripts – limited effectiveness • Disable AMSI 13AMSIBlack Hat US'16
  • 14. Bypass or avoid AMSI Signature bypass • Obfuscation • Not really hard to bypass AMSI using this. 1. Remove help section 2. Obfuscate function and variable names 3. Encode parts of script 4. Profit • Obfuscation functionality in ISESteroids Module – Fast and very effective at the time of writing. 14AMSIBlack Hat US'16
  • 15. Bypass or avoid AMSI Signature bypass 15AMSIBlack Hat US'16
  • 16. Unload AMSI • Set-MpPreference • Unload from current process – Matt’s method • P0wnedshell 16AMSIBlack Hat US'16
  • 17. Bypass or avoid AMSI Set-MpPreference • Handy PowerShell cmdlet to play with Windows Defender. Set-MpPreference – DisableRealtimeMonitoring $True 17AMSIBlack Hat US'16
  • 18. Bypass or avoid AMSI Set-MpPreference • Shows a notification to the user • Needs elevated privileges (not much headache in a post- exploitation scenario) • Event ID 5001 (Microsoft-Windows-Windows Defender/Operational) - Windows Defender Real-Time Protection was disabled. 18AMSIBlack Hat US'16
  • 19. Bypass or avoid AMSI Set-MpPreference • To target AMSI: Set-MpPreference –DisableIOAVProtection $True 19AMSIBlack Hat US'16
  • 20. Bypass or avoid AMSI Set-MpPreference • Doesn’t show any notification to the user • Needs elevated privileges • Event ID 5004 (Microsoft-Windows-Windows Defender/Operational) - Windows Defender Real-Time Protection feature (IE Downloads and Outlook Express attachments) configuration has changed. 20AMSIBlack Hat US'16
  • 21. Bypass or avoid AMSI Unloading AMSI • A one line AMSI bypass from Matt Graeber (screenshot) (@mattifestation) [Ref].Assembly.GetType('System.Management.Aut omation.AmsiUtils').GetField('amsiInitFailed' ,'NonPublic,Static').SetValue($null,$true) • Unload AMSI from current process. • No need of elevated privileges • Event ID 4104 (Microsoft-Windows-PowerShell/Operational) – Suspicious script block logging • Bypass the automatic logging? 21AMSIBlack Hat US'16
  • 22. Bypass or avoid AMSI Unloading AMSI • A method discovered by Cornelis de Plaa (@Cneelis) • Implemented in p0wnedshell (https://github.com/Cn33liz/p0wnedShell) • Drop amsi.dll in the current working directory while loading the p0wnedshell runspace. The dll is loaded by the runspace and exits immediately to unload AMSI. • Event ID 4104 (Microsoft-Windows- PowerShell/Operational) – Suspicious script block logging (due to successful loading of scripts in memory) • Bypass the automatic logging? 22AMSIBlack Hat US'16
  • 23. Demo – Bypassing AMSI using a Client Side Attack 23AMSIBlack Hat US'16 Image source: http://goo.gl/CmZbmL
  • 24. WMF5 Auto Logging • Hard to execute a PowerShell attack without generating logs. • Apparently, Obfuscation boils down to bypass the logging. • Who is monitoring the logs? 24AMSIBlack Hat US'16
  • 25. Black Hat Sound Bytes • AMSI is a big step forward towards blocking script based attacks in Windows. • It is possible to avoid AMSI using already known methods and techniques. • AMSI is useful only when used with other security methods. Monitor the logs! 25AMSIBlack Hat US'16
  • 26. Thank You • Questions? • Please provide feedback. • Follow me @nikhil_mitt • nikhil.uitrgpv@gmail.com • http://www.labofapenetrationtester.com/2016/08/ amsi.html • https://github.com/samratashok/AMSI 26AMSIBlack Hat US'16

Editor's Notes

  1. https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx https://blogs.technet.microsoft.com/poshchap/2015/10/16/security-focus-defending-powershell-with-the-anti-malware-scan-interface-amsi/ https://blogs.technet.microsoft.com/mmpc/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/
  2. https://github.com/Ben0xA/nps
  3. All demonstrations on 64-bit Windows 10 build 10586
  4. PowerShell code and scripts can be executed without using PowerShell.exe. Please see: https://github.com/leechristensen/UnmanagedPowerShell https://github.com/Ben0xA/nps https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick Interesting methods to bypass Application whitelisting http://subt0x10.blogspot.in/2016/04/bypass-application-whitelisting-script.html http://subt0x10.blogspot.in/2015/08/application-whitelisting-bypasses-101.html https://raw.githubusercontent.com/subTee/ApplicationWhitelistBypassTechniques/master/TheList.txt http://www.labofapenetrationtester.com/2016/05/practical-use-of-javascript-and-com-for-pentesting.html
  5. Source: https://twitter.com/mattifestation/status/735261176745988096
  6. Source: http://cn33liz.blogspot.com/2016/05/bypassing-amsi-using-powershell-5-dll.html