DeepSec2016 Talk: AMSI: How Windows 10 Plans To Stop Script Based Attacks and How Good It Does That – Nikhil Mittal
In his talk Nikhil Mittal will focus on AMSI: In Windows 10, Microsoft introduced the AntiMalware Scan Interface (AMSI), which is designed to target script based attacks and malware. Script based attacks have been lethal for enterprise security and with the advent of PowerShell, such attacks have become increasingly common.
AMSI targets malicious scripts written in PowerShell, VBScript, JScript, etc. It drastically improves detection and the blocking rate of malicious scripts. When a piece of code is submitted for execution to the scripting host, AMSI steps in and scans the code for malicious content. What makes AMSI effective is that no matter how obfuscated the code is, it needs to be presented to the script host in clear text and unobfuscated. Moreover, since the code is submitted to AMSI just before execution, it doesn’t matter if the code comes from disk, memory or was entered interactively. AMSI is an open interface and MS says any application will be able to call its APIs. Currently Windows Defender uses it on Windows 10.
Has Microsoft finally killed script-based attacks? Or are there even ways to bypass AMSI? We asked Nikhil Mittal a few questions about his talk.
Please tell us the top 5 facts about your talk.
- The talk is about AMSI (Antimalware Scan Interface), an interface present by-default on Windows 10 machines which can work with antivirus on a machine.
- AMSI enables the scanning of a script through an antivirus present on the machine, regardless of the input method (memory, disk or manual) used for loading the script.
- AMSI steps in when a script is submitted to the corresponding script host – which makes bypass techniques like obfuscation less effective.
- Even if PowerShell scripts are executed without using powershell.exe. AMSI can still catch the scripts.
- Fellow researchers have already discovered, bypasses/avoidance for AMSI. It is still dependent on the signature based detection of the antivirus.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
I use PowerShell a lot in during penetration testing engagements and while testing one of my PowerShell scripts on a Windows 10 machine, I noticed that it was being blocked even when loaded from memory. On investigation, I stumbled upon AMSI (Antimalware Scan Interface), the Microsoft technology enabled by default on Windows 10 machines, which is designed to stop script based attacks which utilize PowerShell, VBScript, JScript etc. This talk is a result of my and other hackers’ experiments with AMSI.
Why do you think this is an important topic?
Script based attacks are widely used both by the good and by the bad guys. Scripts like those for PowerShell are generally hard to detect because of various functionalities available in PowerShell, which allow the scripts to be loaded from memory and not from disk. AMSI is an important step towards thwarting such script based attacks because it has the capability to detect malicious scripts even from memory.
Is there something you want everybody to know – Some good advice for our readers maybe?
Spread awareness about abuse of legit functionality of office software, scripts, email clients etc. among your family and your organization. More people and organizations get hacked through the abuse of functionalities than by an 0-day.
A prediction about the future – What do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your talk?
I am quite sure Microsoft is taking note of the developments related to AMSI. I expect the cat and mouse game to continue. There will be more fixes and more bypasses. But ultimately, the overall security of Windows boxes is definitely going to improve with AMSI.
Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes penetration testing, attack research, defence strategies and post exploitation research. He has 8+ years of experience in Penetration Testing for his clients, which include many global corporate giants. He is also a member of the Red teams of selected clients.
He specializes in assessing security risks at secure environments which require novel attack vectors and an “out of the box” approach. He has worked extensively on using Human Interface Device in Penetration Tests and PowerShell for post exploitation. Nikhil is the creator of Kautilya, a toolkit which makes it easy to use HIDs in penetration tests and of Nishang, a post exploitation framework in PowerShell. In his spare time, he researches on new attack methodologies and updates his tools and frameworks.
He has spoken at conferences like Defcon, BlackHat, CanSecWest, DeepSec and more.
He blogs on http://www.labofapenetrationtester.com/