Obfuscating the empire: Lessons learned in AV in-memory script scanning

Presented at BSides Austin 2017, May 4, 2017, 1 p.m. (60 minutes).

As malware has adapted the strategy of in-memory execution using PowerShell to bypass traditional AV file scanning techniques, Microsoft has introduced the AMSI protocol to allow AV vendors to scan scripts executing in-memory and preventing execution. ObfuscatedEmpire is an integration of Empire (a PowerShell post-exploitation agent) and Invoke-Obfuscation (a PowerShell obfuscator) that can be used to establish a PowerShell C2 channel that operates in memory and defeats the majority of AMSI signatures through automatic obfuscation of all scripts run on a target machine. We will demo ObfuscatedEmpire, as well as examine AMSI in greater detail from both an offensive and defensive perspective.

Presenters:

• Ryan Cobb
  Ryan Cobb is a pentester and consultant at Protiviti, as well as a hobbyist software developer. He is the developer and maintainer of the tool-integration ObfuscatedEmpire.

Links:

• https://bsidesaustin2017.sched.com/event/AP2C/obfuscating-the-empire-lessons-learned-in-av-in-memory-script-scanning

Similar Presentations:

• DerbyCon 7.0 Legacy (2017) / PSAmsi - An offensive PowerShell module for interacting with the Anti-Malware Scan Interface in Windows 10
• Black Hat USA 2017 / Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science
• DeepSec 2016 „Ten“ / AMSI: How Windows 10 Plans To Stop Script Based Attacks and How Good It Does That