amsi: how windows 10 plans to stop script-based … · black hat usa amsi: how windows 10 plans to...

26

1

Upload: buinhu

Post on 19-Aug-2018

220 views

Category:

Documents

0 download

Report

Download

Embed Size (px):

TRANSCRIPT

Page 1: AMSI: How Windows 10 Plans to Stop Script-Based … · black hat USA AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal

1

Page 2: AMSI: How Windows 10 Plans to Stop Script-Based … · black hat USA AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal

2

Page 3: AMSI: How Windows 10 Plans to Stop Script-Based … · black hat USA AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal

3

Page 4: AMSI: How Windows 10 Plans to Stop Script-Based … · black hat USA AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal

4

Page 5: AMSI: How Windows 10 Plans to Stop Script-Based … · black hat USA AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal

5

Page 6: AMSI: How Windows 10 Plans to Stop Script-Based … · black hat USA AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal

https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspxhttps://blogs.technet.microsoft.com/poshchap/2015/10/16/security-focus-defending-powershell-with-the-anti-malware-scan-interface-amsi/https://blogs.technet.microsoft.com/mmpc/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/

6

Page 7: AMSI: How Windows 10 Plans to Stop Script-Based … · black hat USA AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal

7

Page 8: AMSI: How Windows 10 Plans to Stop Script-Based … · black hat USA AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal

https://github.com/Ben0xA/nps

8

Page 9: AMSI: How Windows 10 Plans to Stop Script-Based … · black hat USA AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal

All demonstrations on 64-bit Windows 10 build 10586

9

Page 10: AMSI: How Windows 10 Plans to Stop Script-Based … · black hat USA AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal

10

Page 11: AMSI: How Windows 10 Plans to Stop Script-Based … · black hat USA AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal

PowerShell code and scripts can be executed without using PowerShell.exe. Please see:https://github.com/leechristensen/UnmanagedPowerShellhttps://github.com/Ben0xA/npshttps://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick

Interesting methods to bypass Application whitelistinghttp://subt0x10.blogspot.in/2016/04/bypass-application-whitelisting-script.htmlhttp://subt0x10.blogspot.in/2015/08/application-whitelisting-bypasses-101.htmlhttps://raw.githubusercontent.com/subTee/ApplicationWhitelistBypassTechniques/master/TheList.txthttp://www.labofapenetrationtester.com/2016/05/practical-use-of-javascript-and-com-for-pentesting.html

11

Page 12: AMSI: How Windows 10 Plans to Stop Script-Based … · black hat USA AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal

12

Page 13: AMSI: How Windows 10 Plans to Stop Script-Based … · black hat USA AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal

13

Page 14: AMSI: How Windows 10 Plans to Stop Script-Based … · black hat USA AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal

14

Page 15: AMSI: How Windows 10 Plans to Stop Script-Based … · black hat USA AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal

15

Page 16: AMSI: How Windows 10 Plans to Stop Script-Based … · black hat USA AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal

16

Page 17: AMSI: How Windows 10 Plans to Stop Script-Based … · black hat USA AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal

17

Page 18: AMSI: How Windows 10 Plans to Stop Script-Based … · black hat USA AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal

18

Page 19: AMSI: How Windows 10 Plans to Stop Script-Based … · black hat USA AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal

19

Page 20: AMSI: How Windows 10 Plans to Stop Script-Based … · black hat USA AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal

20

Page 21: AMSI: How Windows 10 Plans to Stop Script-Based … · black hat USA AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal

Source: https://twitter.com/mattifestation/status/735261176745988096

21

Page 22: AMSI: How Windows 10 Plans to Stop Script-Based … · black hat USA AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal

Source: http://cn33liz.blogspot.com/2016/05/bypassing-amsi-using-powershell-5-dll.html

22

Page 23: AMSI: How Windows 10 Plans to Stop Script-Based … · black hat USA AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal

23

Page 24: AMSI: How Windows 10 Plans to Stop Script-Based … · black hat USA AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal

24

Page 25: AMSI: How Windows 10 Plans to Stop Script-Based … · black hat USA AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal

25

Page 26: AMSI: How Windows 10 Plans to Stop Script-Based … · black hat USA AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal

26

AMSI User Manual Site Users - Shelby County Schools Manual.pdf · AMSI Web Application Login Enter your normal Windows User Name and Password in the AMSI Web App Login Screen. If

AMSI CHOOSE MATHS RESEARCHamsi.org.au/media/AMSI-CM-Gender-report-2017.pdfAMSI CHOOSE MATHS RESEARCH [ No2 - 2017 ] Gender Report 2017: Participation, Performance, and ... acknowledgement

Simulation (AMSI Public Lecture)

Adaptive Multiscale Simulation Infrastructure - AMSI

AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It

Stop Clicking Your Mouse Button! We Can Script Thatprairiedeveloper.com/wp-content/uploads/2017/04/Stop-Clicking-We... · Stop Clicking Your Mouse Button! We Can Script That ... Create

AMSI BIOINFOSUMMER 2016 · AMSI BIOINFOSUMMER 2016 | THE UNIVERSITY OF ADELAIDE 7 PROGRAM Monday 28 November Introduction to Biology and Bioinformatics Code, genetics, and the genetic

Property Management Product Development Update Randy Lott Director, Development AMSI

AMSI Vacation Research Scholarships 2017/2018 · AMSI would like to express its appreciation to all Vacation Research Scholarship supervisors who gave their time and expertise to

2 AMSI VACATION RESEARCH SCHOLARSHIPS 2018/19 | AMSI … · project also delivers their first academic publication. The 2018/19 program intake was the largest cohort to date. From

Hypnosis - Sample Hypnosis Script - Put a Dead Halt Stop to Self-Sabotage

AMSI Alumni around the world (V.03)

AMSI WINTER SCHOOL 2016

CIVIL ENGINEER - AMSI Careers

WHAT IS CHOOSE ? PAGE 3 PAGE 5 PAGE 7 - AMSI Schoolschoosemathsstudents.amsi.org.au/wp-content/uploads/... · Institute (AMSI) and the BHP Billiton Foundation. Working with students,

CARMA/AMSI Workshop: Haar Measure Short Course 1

AMSI Schools Celebrate the UAE’s 44 th National Day and ...media.amsi.ae/documents/amsi/newsletters/2015-2016/01122016_… · December 2015 - Issue #16 Email: [email protected] Tel:

Association of Modern Scientific Investigation - AMSI

CongratulationsClass of 2016 - AMSI

AMSI BIOINFOSUMMER 2017 | MONASH UNIVERSITY 4-8 …€¦ · around Australia it forms part of the Securing Australias Mathematical Workforce: 2016-2020 agreement between AMSI and

INSTRUCTOR’S GUIDE – STOP, LOOK, WAVE · INSTRUCTOR’S GUIDE – STOP, LOOK, WAVE INTRODUCTION Background information ... (a script is available) and visualised through a PowerPoint

AMSI BIOINFOSUMMER 2016amsi.org.au/wp-content/uploads/2017/12/2016-bioinfosummer-22-1… · “AMSI BioInfoSummer 2016 continued a highly successful tradition of collaboration, showcasing

AMSI Summer Schoolamsi.org.au/wp-content/uploads/2016/10/2015-16_summerschool_re… · he AMSI Summer School is one of the key events in the calendar of the Australian mathematical

Grade 7 English Summer Work 2016 - AMSI

Annual Report 2010 ‑ 2011 - AMSIamsi.org.au/.../2014/07/AMSI_annual_report2010-11.pdf · AMSI Annual Report 2010 ‑ 2011 Clearly the review of AMSI has been a major initiative

Script Solving Economics and Finance problems with MATLAB · Script Solving Economics and Finance problems with MATLAB Peter H. Gruber July 29, 2016. Useful shortcuts + Stop MATLAB:

ALGEBRAIC FRACTIONS - AMSI

FileMaker Pro 13 · • pause and resume a script, based on defined conditions • conditionally perform script steps using if/then/else logic • stop a script before it's finished,

Understanding Evasive Script Tactics · malicious scripts in Microsoft ® Excel and Word. While AMSI is used by Windows Defender, Microsoft has also extended it to third party software

1 1 The Physical Market AMSI Workshop, April 2007

AMSI 2016 Annual Report · all-sector, all-discipline internship program, AMSI Intern. A key priority under the National Innovation and Science Agenda, this will support delivery

AMSI Vacation Research Scholarships

Thank you to the following AMSI BioInfoSummer 2019 ... · “AMSI BioInfoSummer is the leading training event in the rapidly-growing interdisciplinary field of bioinformatics, focused

AMSI CHOOSE MATHS RESEARCHamsi.org.au/wp-content/uploads/2018/01/amsi-cm-gender-report-2017...AMSI CHOOSE MATHS RESEARCH [ No2 - 2017 ] ... the Choose Maths project is working to build