![Page 1: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer](https://reader034.vdocuments.net/reader034/viewer/2022050506/5f97fe199c986f520b3381b6/html5/thumbnails/1.jpg)
1
![Page 2: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer](https://reader034.vdocuments.net/reader034/viewer/2022050506/5f97fe199c986f520b3381b6/html5/thumbnails/2.jpg)
2
![Page 3: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer](https://reader034.vdocuments.net/reader034/viewer/2022050506/5f97fe199c986f520b3381b6/html5/thumbnails/3.jpg)
3
![Page 4: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer](https://reader034.vdocuments.net/reader034/viewer/2022050506/5f97fe199c986f520b3381b6/html5/thumbnails/4.jpg)
4
![Page 5: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer](https://reader034.vdocuments.net/reader034/viewer/2022050506/5f97fe199c986f520b3381b6/html5/thumbnails/5.jpg)
5
![Page 6: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer](https://reader034.vdocuments.net/reader034/viewer/2022050506/5f97fe199c986f520b3381b6/html5/thumbnails/6.jpg)
https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx https://blogs.technet.microsoft.com/poshchap/2015/10/16/security-focus-defending-powershell-with-the-anti-malware-scan-interface-amsi/ https://blogs.technet.microsoft.com/mmpc/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/
6
![Page 7: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer](https://reader034.vdocuments.net/reader034/viewer/2022050506/5f97fe199c986f520b3381b6/html5/thumbnails/7.jpg)
7
![Page 8: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer](https://reader034.vdocuments.net/reader034/viewer/2022050506/5f97fe199c986f520b3381b6/html5/thumbnails/8.jpg)
https://github.com/Ben0xA/nps
8
![Page 9: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer](https://reader034.vdocuments.net/reader034/viewer/2022050506/5f97fe199c986f520b3381b6/html5/thumbnails/9.jpg)
All demonstrations on 64-bit Windows 10 build 10586
9
![Page 10: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer](https://reader034.vdocuments.net/reader034/viewer/2022050506/5f97fe199c986f520b3381b6/html5/thumbnails/10.jpg)
10
![Page 11: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer](https://reader034.vdocuments.net/reader034/viewer/2022050506/5f97fe199c986f520b3381b6/html5/thumbnails/11.jpg)
PowerShell code and scripts can be executed without using PowerShell.exe. Please see: https://github.com/leechristensen/UnmanagedPowerShell https://github.com/Ben0xA/nps https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick Interesting methods to bypass Application whitelisting http://subt0x10.blogspot.in/2016/04/bypass-application-whitelisting-script.html http://subt0x10.blogspot.in/2015/08/application-whitelisting-bypasses-101.html https://raw.githubusercontent.com/subTee/ApplicationWhitelistBypassTechniques/master/TheList.txt http://www.labofapenetrationtester.com/2016/05/practical-use-of-javascript-and-com-for-pentesting.html
11
![Page 12: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer](https://reader034.vdocuments.net/reader034/viewer/2022050506/5f97fe199c986f520b3381b6/html5/thumbnails/12.jpg)
12
![Page 13: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer](https://reader034.vdocuments.net/reader034/viewer/2022050506/5f97fe199c986f520b3381b6/html5/thumbnails/13.jpg)
13
![Page 14: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer](https://reader034.vdocuments.net/reader034/viewer/2022050506/5f97fe199c986f520b3381b6/html5/thumbnails/14.jpg)
14
![Page 15: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer](https://reader034.vdocuments.net/reader034/viewer/2022050506/5f97fe199c986f520b3381b6/html5/thumbnails/15.jpg)
15
![Page 16: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer](https://reader034.vdocuments.net/reader034/viewer/2022050506/5f97fe199c986f520b3381b6/html5/thumbnails/16.jpg)
16
![Page 17: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer](https://reader034.vdocuments.net/reader034/viewer/2022050506/5f97fe199c986f520b3381b6/html5/thumbnails/17.jpg)
17
![Page 18: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer](https://reader034.vdocuments.net/reader034/viewer/2022050506/5f97fe199c986f520b3381b6/html5/thumbnails/18.jpg)
18
![Page 19: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer](https://reader034.vdocuments.net/reader034/viewer/2022050506/5f97fe199c986f520b3381b6/html5/thumbnails/19.jpg)
19
![Page 20: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer](https://reader034.vdocuments.net/reader034/viewer/2022050506/5f97fe199c986f520b3381b6/html5/thumbnails/20.jpg)
Source: https://twitter.com/mattifestation/status/735261176745988096
20
![Page 21: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer](https://reader034.vdocuments.net/reader034/viewer/2022050506/5f97fe199c986f520b3381b6/html5/thumbnails/21.jpg)
Source: http://cn33liz.blogspot.com/2016/05/bypassing-amsi-using-powershell-5-dll.html
21
![Page 22: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer](https://reader034.vdocuments.net/reader034/viewer/2022050506/5f97fe199c986f520b3381b6/html5/thumbnails/22.jpg)
22
![Page 23: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer](https://reader034.vdocuments.net/reader034/viewer/2022050506/5f97fe199c986f520b3381b6/html5/thumbnails/23.jpg)
23
![Page 24: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer](https://reader034.vdocuments.net/reader034/viewer/2022050506/5f97fe199c986f520b3381b6/html5/thumbnails/24.jpg)
24
![Page 25: AMSI: How Windows 10 Plans to Stop Script-Based Attacks ... · obfuscation or layer dynamic code evaluation. As of now, Windows Defender and AVG uses DeepSec'16 AMSI . Win32 API Layer](https://reader034.vdocuments.net/reader034/viewer/2022050506/5f97fe199c986f520b3381b6/html5/thumbnails/25.jpg)
25