PSAmsi - An offensive PowerShell module for interacting with the Anti-Malware Scan Interface in Windows 10

Presented at DerbyCon 7.0 Legacy (2017), Sept. 22, 2017, 4 p.m. (50 minutes)

"As use of ""fileless"" malware using PowerShell to stay in memory and evade traditional AV file scanning techniques has increased, Microsoft introduced the AMSI protocol in Windows 10 to allow AV vendors to scan scripts executing in memory and prevent execution. With these newer in memory AV techniques, attackers need tools to help avoid AV detection of their scripts in memory. PSAmsi uses PowerShell reflection to load Windows AMSI functions into memory, allowing an attacker to interact directly with the interface. We will discuss (and demo!) several use cases built into PSAmsi (offensive and defensive) for interacting with the AMSI, including using PSAmsi to automatically, minimally obfuscate scripts to simultaneously defeat both AMSI signatures and obfuscation detection techniques." Ryan Cobb is a pentester and consultant at Protiviti. He actively develops open source security tools, including ObfuscatedEmpire and PSAmsi. @cobbr_io

Presenters:

• Ryan Cobb

Links:

• https://www.derbycon.com/friday-schedule/#event-45
• https://infocon.org/cons/DerbyCon/DerbyCon 7 2017/PSAmsi An offensive PowerShell module for interacting with the Anti Malware Scan Interface in W.mp4

Similar Presentations:

• Black Hat USA 2016 / AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
• DeepSec 2016 „Ten“ / AMSI: How Windows 10 Plans To Stop Script Based Attacks and How Good It Does That
• BSides Austin 2017 / Obfuscating the empire: Lessons learned in AV in-memory script scanning