Geoff McDonald, Microsoft Moustafa Saleh, Microsoft Bhavna Soman, Microsoft Jugal Parikh, Microsoft Andrea Lelli (MSR) As browser and operating system security have been improving, there has been a rise in conventional malware attacks relying instead on social-engineering based attacks. These socially-engineered attacks often rely on emails containing script-based malware loaders such as JavaScript, Visual Basic Script, or HTA files. When run, these scripts will be hosted with a Windows script execution engine and usually proceeds to download and run malware such as ransomware. Versions of Windows 10 have behavior instrumentation of some of the script execution engines in place, which passes behavior during execution to the default installed security product for scanning through the AMSI interface. In this presentation, we will present how we use this feature combined with machine learning in Windows Defender AV to protect against these attacks by pairing lightweight client behavior models with heavier real-time cloud models.

5. hxxp://domke-engineering.de:10080/8734gf3hf?...
"C:UsersAdministratorAppDataLocalTempjXUahaeoJ.exe"

6. Malvertising redirects

8. 96% of malware are seen
only once
-
200,000
400,000
600,000
800,000
1 2 3 4 5 6 7 8 9 10 11 12
Downloadattempts
Hours after first encounter
Malicious downloads encountered
more than once
Source: Windows Defender Antivirus, August 2017
Source: Windows Defender Antivirus, Q1 2017
55%
6% 6% 7%
26%
0%
20%
40%
60%
1 2-10 11-100 101-1000 1001+
Percenttotalencounters
Number of client encounters per threat
Customer impact of unique and
prevalent threats

10. Learn more!
https://docs.microsoft.com/en-us/windows/desktop/amsi/antimalware-scan-interface-portal

11. Invoke-Expression
[ScriptBlock]::Create(…)
Function foo { … }
PowerShell –Command …
PowerShell –EncodedCommand …
IEX (an alias to Invoke-Expression)
$executionContext.InvokeCommand.InvokeScript( … )
$executionContext.InvokeCommand.NewScriptBlock( … )
$ExecutionContext.InvokeCommand.ExpandString( … )
$PSCmdlet.InvokeCommand.InvokeScript( … )
$PSCmdlet.InvokeCommand.NewScriptBlock( … )
$PSCmdlet.InvokeCommand.ExpandString( … )

15. • Windows Defender AV
• Windows Defender ATP
• AVG
• BitDefender
• CrowdStrike Falcon
• ESET
• Dr. Web
• Avast
• McAfee
• Kaspersky
From public information:
+ other security products are likely

17. • WScript.Shell.Run()
• Shell.Application.ShellExecute()
• Wscript.Shell.Exec()
• MMC20.Application.Document.ActiveView.ExecuteShellCo
mmand
• Execute (generic "object.Execute", often used with the obj
returned by "WSHController.CreateScript")
• Win32_Process.ExecMethod
• Win32_Process.ExecMethodAsync
• _60020007 (Dispatch ID used by generic
"object.DynamicInvoke" method, often used with
"BinaryFormatter")
• _01000001 (Dispatch ID used by "StartService" and
"Win32_ProcessStartup.Create" methods)
• Shell.Application.ServiceStart

22. Defender
Client

23. Defender
Client

25. Defender
Client

28. SDCA: Shalev-Shwartz, Shai, and Tong Zhang. "Stochastic dual coordinate ascent methods for regularized loss
minimization." Journal of Machine Learning Research 14.Feb (2013): 567-599.
SA-SDCA: Microsoft Research. Tran, Kenneth, et al. "Scaling up stochastic dual coordinate ascent." Proceedings of the 21th
ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. ACM, 2015.

29. 0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
0% 1% 2% 3% 4% 5%
POSITIVERECALL
FALSE POSITIVES

31. IHost
IWshShell
IFileSystem
IServerXMLHTTPRequest
_Stream
CreateObject Status SaveToFile
ExpandEnvironmentStrings Type Run
FileExists responseBody
open Write
send Size

32. Defender
Client

33. Defender
Client

38. Defender
Client

40. Defender
Client

44. Training Test
Test Training
Data

45. 70%
75%
80%
85%
90%
95%
100%
0.00%
0.01%
0.03%
0.04%
0.05%
0.07%
0.08%
0.09%
0.11%
0.12%
0.13%
0.15%
0.16%
0.17%
0.19%
0.20%
0.21%
0.23%
0.24%
0.25%
0.27%
0.28%
0.29%
PositiveRecall
False Positive Rate
LightGBM
Boosted Trees
CNTK 1 hidden,
40 neurons
XGBoost

48. 75.00%
80.00%
85.00%
90.00%
95.00%
100.00%
0.00% 0.10% 0.20% 0.30% 0.40% 0.50%
POSITIVERECALL
FPR
All Features
ML signatures +
Expert signatures
Fuzzy Hash
Partial Hash

50. 70%
75%
80%
85%
90%
95%
100%
0.00%
0.01%
0.03%
0.04%
0.05%
0.07%
0.08%
0.09%
0.11%
0.12%
0.13%
0.15%
0.16%
0.17%
0.19%
0.20%
0.21%
0.23%
0.24%
0.25%
0.27%
0.28%
0.29%
PositiveRecall
False Positive Rate
LR LR Monotonoic

52. AMSI integration
point
Dynamic script
content AMSI calls
Behavior AMSI calls
PowerShell X
VBScript X X
JavaScript X X
Office VBA macros X

55. Unique insights, informed by trillions of signals