Obfuscating the empire: Lessons learned in AV in-memory script scanning

Presented at BSides Austin 2017, May 4, 2017, 1 p.m. (60 minutes)

As malware has adapted the strategy of in-memory execution using PowerShell to bypass traditional AV file scanning techniques, Microsoft has introduced the AMSI protocol to allow AV vendors to scan scripts executing in-memory and preventing execution. ObfuscatedEmpire is an integration of Empire (a PowerShell post-exploitation agent) and Invoke-Obfuscation (a PowerShell obfuscator) that can be used to establish a PowerShell C2 channel that operates in memory and defeats the majority of AMSI signatures through automatic obfuscation of all scripts run on a target machine. We will demo ObfuscatedEmpire, as well as examine AMSI in greater detail from both an offensive and defensive perspective.

Presenters:

  • Ryan Cobb
    Ryan Cobb is a pentester and consultant at Protiviti, as well as a hobbyist software developer. He is the developer and maintainer of the tool-integration ObfuscatedEmpire.

Links:

Similar Presentations: