HITB-Invoice-Logo

thank you for joining us!

Scripts-behavioral ML Classification Using Windows 10 AMSI-instrumentation

Date

August 26, 2022

Time

11:30

Track

Main Track

As browser and operating system security have been improving, there has been a decline in conventional drive-by exploit attacks and a rise in social-engineering based attacks instead. One of the main types of social engineering attacks employs emails with attached archives containing script-based malware loaders or macro attachments. Usually these scripts are JavaScript, Visual Basic Script,Macro Documents or HTA files. If a user opens one of these scripts, the script will be hosted with a Windows script execution engine and usually proceeds to download and run malware such as ransomware. Traditional AV signature-based approaches to these attacks are often not practical since the time from a new email attack campaign starting to signature release is not fast enough. Machine learning is needed to effectively address this issue.

In this presentation we will be presenting how machine learning can be applied to detect and stop the execution of already-running malicious scripts on Windows using a feature called AMSI. Versions of Windows 10 have AMSI script integration where the Windows script execution engines monitor script calls to COM interfaces during execution and passes this information to the default installed security product for scanning. Security products can access these logs and make a blocking decision that will abort the execution of the script. Firstly, we will present details on how the AMSI integration works and what these logs look like for malicious scripts. Next, we will present research on how ML  models can be used to classify malicious script behavior. And finally, we will present a more practical approach we’ve deployed using lightweight client models paired with heavy cloud models to deliver protection from these malicious scripts in real-time during execution.

Speakers

Security Researcher

Microsoft

Ankit is an Security researcher working with Microsoft Defender Research TEam with most of his experience in reverse-engineering malware and tracking Targeted Attacks,developing detection logic for complex techniques. As a hobby, Ankit can often be found developing Machine Learning Project and integrating ML with various security aspects.

Other Talks in This Track

LOCATION

Main Track

DATE

August 26

TIME

09:00

LOCATION

Main Track

DATE

August 26

TIME

10:30

LOCATION

Main Track

DATE

August 26

TIME

14:00

LOCATION

Main Track

DATE

August 26

TIME

15:00

LOCATION

Main Track

DATE

August 26

TIME

16:30