A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


PSAmsi - An offensive PowerShell module for interacting with the Anti-Malware Scan Interface in Windows 10 - Ryan Cobb Derbycon 2017 (Hacking Illustrated Series InfoSec Tutorial Videos)

PSAmsi - An offensive PowerShell module for interacting with the Anti-Malware Scan Interface in Windows 10
Ryan Cobb
Derbycon 2017

As use of "fileless" malware using PowerShell to stay in memory and evade traditional AV file scanning techniques has increased, Microsoft introduced the AMSI protocol in Windows 10 to allow AV vendors to scan scripts executing in memory and prevent execution. With these newer in memory AV techniques, attackers need tools to help avoid AV detection of their scripts in memory. PSAmsi uses PowerShell reflection to load Windows AMSI functions into memory, allowing an attacker to interact directly with the interface. We will discuss (and demo!) several use cases built into PSAmsi (offensive and defensive) for interacting with the AMSI, including using PSAmsi to automatically, minimally obfuscate scripts to simultaneously defeat both AMSI signatures and obfuscation detection techniques.

Ryan Cobb is a pentester and consultant at Protiviti. He actively develops open source security tools, including ObfuscatedEmpire and PSAmsi.

@cobbr_io

Back to Derbycon 2017 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast