SlideShare une entreprise Scribd logo
1  sur  26
Télécharger pour lire hors ligne
AMSI: How Windows 10 Plans to
Stop Script-Based Attacks
and
How Well It Does It
Nikhil Mittal
whoami
• Twitter - @nikhil_mitt
• Blog – http://labofapenetrationtester.com
• Github - https://github.com/samratashok/
• Creator of Kautilya and Nishang
• Penetration Tester and Trainer
• Associate Consultant with NoSoSecure
• Spoken/Trained at: Defcon, Blackhat, CanSecWest,
Shakacon and more.
2AMSIBlack Hat US'16
Outline
• Script based attacks
• Introduction to AMSI
• AMSI – Detection and Blocking capabilities
• Failed attempts to avoid detection
• Bypassing AMSI
• Conclusion
3AMSIBlack Hat US'16
Script Based Attacks
What? - PowerShell, VBScript, Jscript.
Why? – Low rate of detection, very effective.
• Already present on targets.
• Used by system administrators.
• Provides access to various OS and Network components.
• PowerShell is future of Windows Remote Administration.
• Anti Virus vendors have only recently, 2013 onwards, started
to flag PowerShell scripts.
4AMSIBlack Hat US'16
Script Based Attacks
How? –
• Execute from disk
• Execute from memory – encodedcommand,
downloadstring, reflection.
Detection is easy for scripts saved to disk.
How to stop execution from memory?
5AMSIBlack Hat US'16
AntiMalware Scan Interface (AMSI)
According to Microsoft AMSI :
• Provides File, memory and stream scanning,
content source URL/IP reputation checks, and
other techniques.
• Can be integrated in any application.
• Includes additional calls for scripts that use
obfuscation or layer dynamic code evaluation.
• As of now (21st July 2016), Windows Defender and
AVG uses it.
6AMSIBlack Hat US'16
AMSI Architecture
Source: https://blogs.technet.microsoft.com/mmpc/2015/06/09/windows-10-to-offer-application-
developers-new-malware-defenses/
7AMSIBlack Hat US'16
What makes AMSI effective?
AMSI tries to catch the scripts at the Scripting host
level. It means:
• Input method (disk, memory, interactive) doesn’t
matter.
• Use of System.Automation.dll (PowerShell scripts
without powershell.exe) doesn’t help as well.
• Less help from obfuscation.
8AMSIBlack Hat US'16
DEMO – AMSI Detection
9AMSIBlack Hat US'16
Putting AMSI to test – Unusual
storage
What if PowerShell scripts are loaded from unusual
places like:
• WMI namespaces
• Registry Keys
• Event logs
Traditional (disk based) detection is unable to catch
such scripts as the storage is rather unusual.
10AMSIBlack Hat US'16
Putting AMSI to test – Unusual
Execution
What if PowerShell scripts are executed:
• Without using powershell.exe - .Net classes,
separate runspace.
• Reflection (Memory space of other processes)
• Application whitelisting bypasses - InstallUtil,
regsrv32, rundll32
11AMSIBlack Hat US'16
DEMO – Putting AMSI to test –
Unusual Execution
12AMSIBlack Hat US'16
Is it all gloom and doom for Red
Teams?
Bypass and/or avoid AMSI
• Use PowerShell version 2 (needs .Net 3.0 which is
not present in a default Windows 10)
• Significantly change the
signature of your scripts –
limited effectiveness
• Disable AMSI
13AMSIBlack Hat US'16
Bypass or avoid AMSI
Signature bypass
• Obfuscation
• Not really hard to bypass AMSI using this.
1. Remove help section
2. Obfuscate function and variable names
3. Encode parts of script
4. Profit
• Obfuscation functionality in ISESteroids Module – Fast
and very effective at the time of writing.
14AMSIBlack Hat US'16
Bypass or avoid AMSI
Signature bypass
15AMSIBlack Hat US'16
Unload AMSI
• Set-MpPreference
• Unload from current process – Matt’s method
• P0wnedshell
16AMSIBlack Hat US'16
Bypass or avoid AMSI
Set-MpPreference
• Handy PowerShell cmdlet to play with Windows
Defender.
Set-MpPreference –
DisableRealtimeMonitoring $True
17AMSIBlack Hat US'16
Bypass or avoid AMSI
Set-MpPreference
• Shows a notification to the user
• Needs elevated privileges (not much headache in a post-
exploitation scenario)
• Event ID 5001 (Microsoft-Windows-Windows
Defender/Operational) - Windows Defender Real-Time
Protection was disabled.
18AMSIBlack Hat US'16
Bypass or avoid AMSI
Set-MpPreference
• To target AMSI:
Set-MpPreference –DisableIOAVProtection
$True
19AMSIBlack Hat US'16
Bypass or avoid AMSI
Set-MpPreference
• Doesn’t show any notification to the user
• Needs elevated privileges
• Event ID 5004 (Microsoft-Windows-Windows
Defender/Operational) - Windows Defender Real-Time
Protection feature (IE Downloads and Outlook Express
attachments) configuration has changed.
20AMSIBlack Hat US'16
Bypass or avoid AMSI
Unloading AMSI
• A one line AMSI bypass from Matt Graeber (screenshot)
(@mattifestation)
[Ref].Assembly.GetType('System.Management.Aut
omation.AmsiUtils').GetField('amsiInitFailed'
,'NonPublic,Static').SetValue($null,$true)
• Unload AMSI from current process.
• No need of elevated privileges
• Event ID 4104 (Microsoft-Windows-PowerShell/Operational)
– Suspicious script block logging
• Bypass the automatic logging?
21AMSIBlack Hat US'16
Bypass or avoid AMSI
Unloading AMSI
• A method discovered by Cornelis de Plaa (@Cneelis)
• Implemented in p0wnedshell
(https://github.com/Cn33liz/p0wnedShell)
• Drop amsi.dll in the current working directory while loading
the p0wnedshell runspace. The dll is loaded by the
runspace and exits immediately to unload AMSI.
• Event ID 4104 (Microsoft-Windows-
PowerShell/Operational) – Suspicious script block logging
(due to successful loading of scripts in memory)
• Bypass the automatic logging?
22AMSIBlack Hat US'16
Demo – Bypassing AMSI using a
Client Side Attack
23AMSIBlack Hat US'16
Image source: http://goo.gl/CmZbmL
WMF5 Auto Logging
• Hard to execute a PowerShell attack without
generating logs.
• Apparently, Obfuscation boils down to bypass the
logging.
• Who is monitoring the logs?
24AMSIBlack Hat US'16
Black Hat Sound Bytes
• AMSI is a big step forward towards blocking script
based attacks in Windows.
• It is possible to avoid AMSI using already known
methods and techniques.
• AMSI is useful only when used with other security
methods. Monitor the logs!
25AMSIBlack Hat US'16
Thank You
• Questions?
• Please provide feedback.
• Follow me @nikhil_mitt
• nikhil.uitrgpv@gmail.com
• http://www.labofapenetrationtester.com/2016/08/
amsi.html
• https://github.com/samratashok/AMSI
26AMSIBlack Hat US'16

Contenu connexe

Tendances

Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryNikhil Mittal
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege EscalationRiyaz Walikar
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesJorge Orchilles
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceNikhil Mittal
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawShakacon
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeologyenigma0x3
 

Tendances (20)

Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active Directory
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege Escalation
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory Dominance
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeology
 

Similaire à AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It

MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...Chris Thompson
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPERPScan
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Nuno Loureiro
 
Up is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Rightenigma0x3
 
Tips for Developing and Testing IBM HATS Applications
Tips for Developing and Testing IBM HATS ApplicationsTips for Developing and Testing IBM HATS Applications
Tips for Developing and Testing IBM HATS ApplicationsStrongback Consulting
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellEnclaveSecurity
 
Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)Valeriy Kravchuk
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
OSDC 2014 Test Driven Infrastructure
OSDC 2014 Test Driven InfrastructureOSDC 2014 Test Driven Infrastructure
OSDC 2014 Test Driven InfrastructureSchlomo Schapiro
 
OSDC 2014: Schlomo Schapiro - Test Driven Infrastructure
OSDC 2014: Schlomo Schapiro -  Test Driven InfrastructureOSDC 2014: Schlomo Schapiro -  Test Driven Infrastructure
OSDC 2014: Schlomo Schapiro - Test Driven InfrastructureNETWAYS
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdfGabriel Mathenge
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-PillageVeilFramework
 
SAP (In)Security: New and Best
SAP (In)Security: New and BestSAP (In)Security: New and Best
SAP (In)Security: New and BestPositive Hack Days
 
How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) Dragos, Inc.
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesScott K. Larson
 
AlienVault USM Anywhere: Building a Security SaaS in AWS in Six Months
AlienVault USM Anywhere: Building a Security SaaS in AWS in Six MonthsAlienVault USM Anywhere: Building a Security SaaS in AWS in Six Months
AlienVault USM Anywhere: Building a Security SaaS in AWS in Six MonthsErnest Mueller
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptDenis Kolegov
 

Similaire à AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It (20)

MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAP
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks
 
Up is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Right
 
Tips for Developing and Testing IBM HATS Applications
Tips for Developing and Testing IBM HATS ApplicationsTips for Developing and Testing IBM HATS Applications
Tips for Developing and Testing IBM HATS Applications
 
Breaking Bad CSP
Breaking Bad CSPBreaking Bad CSP
Breaking Bad CSP
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShell
 
Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
OSDC 2014 Test Driven Infrastructure
OSDC 2014 Test Driven InfrastructureOSDC 2014 Test Driven Infrastructure
OSDC 2014 Test Driven Infrastructure
 
OSDC 2014: Schlomo Schapiro - Test Driven Infrastructure
OSDC 2014: Schlomo Schapiro -  Test Driven InfrastructureOSDC 2014: Schlomo Schapiro -  Test Driven Infrastructure
OSDC 2014: Schlomo Schapiro - Test Driven Infrastructure
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-Pillage
 
SAP (In)Security: New and Best
SAP (In)Security: New and BestSAP (In)Security: New and Best
SAP (In)Security: New and Best
 
How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI)
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
 
Damn Simics
Damn SimicsDamn Simics
Damn Simics
 
AlienVault USM Anywhere: Building a Security SaaS in AWS in Six Months
AlienVault USM Anywhere: Building a Security SaaS in AWS in Six MonthsAlienVault USM Anywhere: Building a Security SaaS in AWS in Six Months
AlienVault USM Anywhere: Building a Security SaaS in AWS in Six Months
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
 

Plus de Nikhil Mittal

Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersNikhil Mittal
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsNikhil Mittal
 
Powerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossNikhil Mittal
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shellNikhil Mittal
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for EveryoneNikhil Mittal
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using KautilyaNikhil Mittal
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HIDNikhil Mittal
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devicesNikhil Mittal
 

Plus de Nikhil Mittal (9)

Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friends
 
Powerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a Boss
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using Kautilya
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HID
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devices
 

Dernier

OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 

Dernier (20)

20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 

AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It

  • 1. AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It Nikhil Mittal
  • 2. whoami • Twitter - @nikhil_mitt • Blog – http://labofapenetrationtester.com • Github - https://github.com/samratashok/ • Creator of Kautilya and Nishang • Penetration Tester and Trainer • Associate Consultant with NoSoSecure • Spoken/Trained at: Defcon, Blackhat, CanSecWest, Shakacon and more. 2AMSIBlack Hat US'16
  • 3. Outline • Script based attacks • Introduction to AMSI • AMSI – Detection and Blocking capabilities • Failed attempts to avoid detection • Bypassing AMSI • Conclusion 3AMSIBlack Hat US'16
  • 4. Script Based Attacks What? - PowerShell, VBScript, Jscript. Why? – Low rate of detection, very effective. • Already present on targets. • Used by system administrators. • Provides access to various OS and Network components. • PowerShell is future of Windows Remote Administration. • Anti Virus vendors have only recently, 2013 onwards, started to flag PowerShell scripts. 4AMSIBlack Hat US'16
  • 5. Script Based Attacks How? – • Execute from disk • Execute from memory – encodedcommand, downloadstring, reflection. Detection is easy for scripts saved to disk. How to stop execution from memory? 5AMSIBlack Hat US'16
  • 6. AntiMalware Scan Interface (AMSI) According to Microsoft AMSI : • Provides File, memory and stream scanning, content source URL/IP reputation checks, and other techniques. • Can be integrated in any application. • Includes additional calls for scripts that use obfuscation or layer dynamic code evaluation. • As of now (21st July 2016), Windows Defender and AVG uses it. 6AMSIBlack Hat US'16
  • 8. What makes AMSI effective? AMSI tries to catch the scripts at the Scripting host level. It means: • Input method (disk, memory, interactive) doesn’t matter. • Use of System.Automation.dll (PowerShell scripts without powershell.exe) doesn’t help as well. • Less help from obfuscation. 8AMSIBlack Hat US'16
  • 9. DEMO – AMSI Detection 9AMSIBlack Hat US'16
  • 10. Putting AMSI to test – Unusual storage What if PowerShell scripts are loaded from unusual places like: • WMI namespaces • Registry Keys • Event logs Traditional (disk based) detection is unable to catch such scripts as the storage is rather unusual. 10AMSIBlack Hat US'16
  • 11. Putting AMSI to test – Unusual Execution What if PowerShell scripts are executed: • Without using powershell.exe - .Net classes, separate runspace. • Reflection (Memory space of other processes) • Application whitelisting bypasses - InstallUtil, regsrv32, rundll32 11AMSIBlack Hat US'16
  • 12. DEMO – Putting AMSI to test – Unusual Execution 12AMSIBlack Hat US'16
  • 13. Is it all gloom and doom for Red Teams? Bypass and/or avoid AMSI • Use PowerShell version 2 (needs .Net 3.0 which is not present in a default Windows 10) • Significantly change the signature of your scripts – limited effectiveness • Disable AMSI 13AMSIBlack Hat US'16
  • 14. Bypass or avoid AMSI Signature bypass • Obfuscation • Not really hard to bypass AMSI using this. 1. Remove help section 2. Obfuscate function and variable names 3. Encode parts of script 4. Profit • Obfuscation functionality in ISESteroids Module – Fast and very effective at the time of writing. 14AMSIBlack Hat US'16
  • 15. Bypass or avoid AMSI Signature bypass 15AMSIBlack Hat US'16
  • 16. Unload AMSI • Set-MpPreference • Unload from current process – Matt’s method • P0wnedshell 16AMSIBlack Hat US'16
  • 17. Bypass or avoid AMSI Set-MpPreference • Handy PowerShell cmdlet to play with Windows Defender. Set-MpPreference – DisableRealtimeMonitoring $True 17AMSIBlack Hat US'16
  • 18. Bypass or avoid AMSI Set-MpPreference • Shows a notification to the user • Needs elevated privileges (not much headache in a post- exploitation scenario) • Event ID 5001 (Microsoft-Windows-Windows Defender/Operational) - Windows Defender Real-Time Protection was disabled. 18AMSIBlack Hat US'16
  • 19. Bypass or avoid AMSI Set-MpPreference • To target AMSI: Set-MpPreference –DisableIOAVProtection $True 19AMSIBlack Hat US'16
  • 20. Bypass or avoid AMSI Set-MpPreference • Doesn’t show any notification to the user • Needs elevated privileges • Event ID 5004 (Microsoft-Windows-Windows Defender/Operational) - Windows Defender Real-Time Protection feature (IE Downloads and Outlook Express attachments) configuration has changed. 20AMSIBlack Hat US'16
  • 21. Bypass or avoid AMSI Unloading AMSI • A one line AMSI bypass from Matt Graeber (screenshot) (@mattifestation) [Ref].Assembly.GetType('System.Management.Aut omation.AmsiUtils').GetField('amsiInitFailed' ,'NonPublic,Static').SetValue($null,$true) • Unload AMSI from current process. • No need of elevated privileges • Event ID 4104 (Microsoft-Windows-PowerShell/Operational) – Suspicious script block logging • Bypass the automatic logging? 21AMSIBlack Hat US'16
  • 22. Bypass or avoid AMSI Unloading AMSI • A method discovered by Cornelis de Plaa (@Cneelis) • Implemented in p0wnedshell (https://github.com/Cn33liz/p0wnedShell) • Drop amsi.dll in the current working directory while loading the p0wnedshell runspace. The dll is loaded by the runspace and exits immediately to unload AMSI. • Event ID 4104 (Microsoft-Windows- PowerShell/Operational) – Suspicious script block logging (due to successful loading of scripts in memory) • Bypass the automatic logging? 22AMSIBlack Hat US'16
  • 23. Demo – Bypassing AMSI using a Client Side Attack 23AMSIBlack Hat US'16 Image source: http://goo.gl/CmZbmL
  • 24. WMF5 Auto Logging • Hard to execute a PowerShell attack without generating logs. • Apparently, Obfuscation boils down to bypass the logging. • Who is monitoring the logs? 24AMSIBlack Hat US'16
  • 25. Black Hat Sound Bytes • AMSI is a big step forward towards blocking script based attacks in Windows. • It is possible to avoid AMSI using already known methods and techniques. • AMSI is useful only when used with other security methods. Monitor the logs! 25AMSIBlack Hat US'16
  • 26. Thank You • Questions? • Please provide feedback. • Follow me @nikhil_mitt • nikhil.uitrgpv@gmail.com • http://www.labofapenetrationtester.com/2016/08/ amsi.html • https://github.com/samratashok/AMSI 26AMSIBlack Hat US'16

Notes de l'éditeur

  1. https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx https://blogs.technet.microsoft.com/poshchap/2015/10/16/security-focus-defending-powershell-with-the-anti-malware-scan-interface-amsi/ https://blogs.technet.microsoft.com/mmpc/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/
  2. https://github.com/Ben0xA/nps
  3. All demonstrations on 64-bit Windows 10 build 10586
  4. PowerShell code and scripts can be executed without using PowerShell.exe. Please see: https://github.com/leechristensen/UnmanagedPowerShell https://github.com/Ben0xA/nps https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick Interesting methods to bypass Application whitelisting http://subt0x10.blogspot.in/2016/04/bypass-application-whitelisting-script.html http://subt0x10.blogspot.in/2015/08/application-whitelisting-bypasses-101.html https://raw.githubusercontent.com/subTee/ApplicationWhitelistBypassTechniques/master/TheList.txt http://www.labofapenetrationtester.com/2016/05/practical-use-of-javascript-and-com-for-pentesting.html
  5. Source: https://twitter.com/mattifestation/status/735261176745988096
  6. Source: http://cn33liz.blogspot.com/2016/05/bypassing-amsi-using-powershell-5-dll.html