In Windows 10, Microsoft introduced the AntiMalware Scan Interface (AMSI) which is designed to target script-based attacks and malware. Script-based attacks have been lethal for enterprise security and with advent of PowerShell, such attacks have become increasingly common. AMSI targets malicious scripts written in PowerShell, VBScript, JScript etc. and drastically improves detection and blocking rate of malicious scripts. When a piece of code is submitted for execution to the scripting host, AMSI steps in and the code is scanned for malicious content. What makes AMSI effective is, no matter how obfuscated the code is, it needs to be presented to the script host in clear text and unobfuscated. Moreover, since the code is submitted to AMSI just before execution, it doesn't matter if the code came from disk, memory or was entered interactively. AMSI is an open interface and MS says any application will be able to call its APIs. Currently, Windows Defender uses it on Windows 10. Has Microsoft finally killed script-based attacks? What are the ways out? The talk will be full of live demonstrations.
Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. Hisarea of interest includes penetration testing, attack research, defencestrategies and post exploitation research. He has 7+ years of experience inPenetration Testing for his clients which include many global corporategiants. He is also a member of Red teams of selected clients. He specializesin assessing security risks at secure environments which require novel attackvectors and ""out of the box"" approach. He has worked extensively on usingHuman Interface Device in Penetration Tests and PowerShell for postexploitation. He is creator of Kautilya, a toolkit which makes it easy to useHIDs in penetration tests and Nishang, a post exploitation framework inPowerShell. In his spare time, Nikhil researches on new attack methodologiesand updates his tools and frameworks. He has spoken/trained at conferenceslike Defcon, BlackHat, CanSecWest and more. He blogs athttp://www.labofapenetrationtester.com/