Presented at DeepSec 2016 „Ten“
In Windows 10, Microsoft introduced the AntiMalware Scan Interface (AMSI), which is designed to target script based attacks and malware. Script based attacks have been lethal for enterprise security and with the advent of PowerShell, such attacks have become increasingly common. AMSI targets malicious scripts written in PowerShell, VBScript, JScript, etc. It drastically improves detection and the blocking rate of malicious scripts. When a piece of code is submitted for execution to the scripting host, AMSI steps in and scans the code for malicious content. What makes AMSI effective is that no matter how obfuscated the code is, it needs to be presented to the script host in clear text and unobfuscated. Moreover, since the code is submitted to AMSI just before execution, it doesn't matter if the code comes from disk, memory or was entered interactively. AMSI is an open interface and MS says any application will be able to call its APIs. Currently Windows Defender uses it on Windows 10. Has Microsoft finally killed script-based attacks? Or are there even ways to bypass AMSI? The talk will be full of live demonstrations.
Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes penetration testing, attack research, defence strategies and post exploitation research. He has 8+ years of experience in Penetration Testing for his clients, which include many global corporate giants. He is also a member of the Red teams of selected clients.
He specializes in assessing security risks at secure environments which require novel attack vectors and an "out of the box" approach. He has worked extensively on using Human Interface Device in Penetration Tests and PowerShell for post exploitation. Nikhil is the creator of Kautilya, a toolkit which makes it easy to use HIDs in penetration tests and of Nishang, a post exploitation framework in PowerShell. In his spare time, he researches on new attack methodologies and updates his tools and frameworks.
He has spoken at conferences like Defcon, BlackHat, CanSecWest, DeepSec and more.
He blogs on http://www.labofapenetrationtester.com/