This article has been indexed from E Hacking News – Latest Hacker News and IT Security News
With Windows 10 and recent Windows Server platforms gaining importance, the purpose of malware developers and other cybercriminals is progressively targeted to prevent detection, by removing the anti-malware traffic cop from these platforms: Microsoft’s Antimalware Scan Interface.
AMSI, launched in 2015, offers software for communicating to security devices for file scanning, memory scanning or streaming in a supplier-agnostics manner for dangerous payloads. AMSI allows permeability of anti-malware software on Microsoft components and apps, including Windows’ PowerShell engine/script hosts (wscript.exe and cscript.exe), Office document macros, the existing.NET Framework (version 4.8), and Windows Management Instrumentation (WMI) — frequently used by adversaries in “living off the land” (LOL) strategies.
AMSI has recently been improved to integrate Excel 4.0 (XLM) macro scanning in the integration of Office 365 in an attempt to address the surge in malicious macros in an infection vector.
Sophos experts investigated the methods used to circumvent or deactivate AMSI and stated on Wednesday that threat actors will try everything from living-off-the-ground strategies to file free attacks.
In a 2016 tweet by the security expert Matt Graeber, the possibility of AMSI-button circumvention was emphasized, Sophos said that a single line of code has swapped the PowerShell feature for AMSI integration and may have theoretically halted PowerShell-based processes from requesting scans.
Most
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: How Threat Actors Try and Bypass Microsoft’s Antimalware Scan Interface (AMSI)?