PSAmsi - An offensive PowerShell module for interacting with the Anti-Malware Scan Interface in Windows 10

DerbyCon 7.0 - Legacy

Presented by: Ryan Cobb
Date: Friday September 22, 2017
Time: 16:00 - 16:50
Location: Track 1 - Break Me

As use of ""fileless"" malware using PowerShell to stay in memory and evade traditional AV file scanning techniques has increased, Microsoft introduced the AMSI protocol in Windows 10 to allow AV vendors to scan scripts executing in memory and prevent execution.

With these newer in memory AV techniques, attackers need tools to help avoid AV detection of their scripts in memory. PSAmsi uses PowerShell reflection to load Windows AMSI functions into memory, allowing an attacker to interact directly with the interface.

We will discuss (and demo!) several use cases built into PSAmsi (offensive and defensive) for interacting with the AMSI, including using PSAmsi to automatically, minimally obfuscate scripts to simultaneously defeat both AMSI signatures and obfuscation detection techniques.

Ryan Cobb

Ryan Cobb is a pentester and consultant at Protiviti. He actively develops open source security tools, including ObfuscatedEmpire and PSAmsi. @cobbr_io


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats