PSAmsi - An offensive PowerShell module for interacting with the Anti-Malware Scan Interface in Windows 10

Presented at DerbyCon 7.0 Legacy (2017), Sept. 22, 2017, 4 p.m. (50 minutes).

"As use of ""fileless"" malware using PowerShell to stay in memory and evade traditional AV file scanning techniques has increased, Microsoft introduced the AMSI protocol in Windows 10 to allow AV vendors to scan scripts executing in memory and prevent execution. With these newer in memory AV techniques, attackers need tools to help avoid AV detection of their scripts in memory. PSAmsi uses PowerShell reflection to load Windows AMSI functions into memory, allowing an attacker to interact directly with the interface. We will discuss (and demo!) several use cases built into PSAmsi (offensive and defensive) for interacting with the AMSI, including using PSAmsi to automatically, minimally obfuscate scripts to simultaneously defeat both AMSI signatures and obfuscation detection techniques." Ryan Cobb is a pentester and consultant at Protiviti. He actively develops open source security tools, including ObfuscatedEmpire and PSAmsi. @cobbr_io

Presenters:

Links:

Similar Presentations: