Stopping script-based attacks can often be an issue of using the protections that are available, and an anti-malware scan interface can help, says pen test expert at Black Hat
Script-based attacks are a common attack vector for cyber-criminals.
But according to one penetration testing expert, the new anti-malware scan interface [AMSI] tools through Microsoft can support organizations in their efforts to detect script-based incidents, says Nikhal Mittal, penetration tester and associate consultant with NoSoSecure.
Speaking at Black Hat USA 2016 in Las Vegas Wednesday 3 July, Mittal discussed the use of AMSI in script-based attacks, and how it can be used to detect and block script-based attacks. Mittal, a longtime penetration tester and trainer who has spoken at DefCon, Black Hat and ShakaCon conferences, has analyzed how script-based attacks focused on the PowerShell especially, can be tough to discover or recover from. “If the script gets touched in memory, that’s heartbreaking,” says Mittal. “If you can use PowerShell, use it.”
Most Windows 10 machines come with PowerShell pre-loaded on the system. But until a few years ago, Mittal says, there wasn’t a focus on script-based attacks and the systems made it difficult to perpetrate these attacks. “Nowadays, you won’t find any Windows machine without PowerShell,” says Mittal. “They all come with it preloaded.”
While various obfuscation issues might be able to stand in the way of AMSI, Mittal believes this is “the future of Windows administration.”
“No one cared about PowerShell until a few years back,” Mittal says. “Our scripts are not getting detected at all. Anti-virus vendors have only in the past three years embraced it.”
As adversaries up their efforts, loading their exploits into memory, organizations are faced with looking to their AMSI provisions to help protect them. “Detection is easy for scripts saved to disc,” Mittal says. “But how do we stop the execution of scripts saved to memory?”
While it doesn’t solve all problems, Mittal believes that, “AMSI is a game changer because it comes packaged default on Windows 10.” When threat actors utilize obfuscation,” Mittal says there is less support and help from AMSI in Windows. Similarly, if PowerShell scripts are loaded from unusual places like WMI namespace, registry keys or event logs, it can make it more difficult to detect. As a red team member, Mittal says he was “not always happy” looking at the smart ways to bypass AMSI.
Mittal suggests changing the signature of scripts. Also, when testing the abilities to bypass AMSI, organizations should consider using the ISESteroids Module, which can be added to AMSI, to make it more effective. While pointing up various ways to bypass or avoid AMSI, despite it being preloaded on Windows 10, Mittal says that “AMSI is a big step forward towards blocking script-based attacks in Windows.”
Photo Credit: Black Hat 2016
