As browser and operating system security have been improving, there has been a rise in conventional malware attacks relying instead on social-engineering based attacks. These socially-engineered attacks often rely on emails containing script-based malware loaders such as JavaScript, Visual Basic Script, or HTA files. When run, these scripts will be hosted with a Windows script execution engine and usually proceeds to download and run malware such as ransomware. Versions of Windows 10 have behavior instrumentation of some of the script execution engines in place, which passes behavior during execution to the default installed security product for scanning through the AMSI interface. In this presentation,
Geoff McDonald and Moustafa Saleh will present how they use this feature combined with machine learning in Windows Defender AV to protect against these attacks by pairing lightweight client behavior models with heavier real-time cloud models:
-
Using MITRE ATT&CK for Forensics: Image File Execution Options Injection (T1183)
As was promised, we continue our Using MITRE ATT&CK for Forensics series. This time we… -
Using MITRE ATT&CK for Forensics: WMI Event Subscription (T1084)
First of all, I would like to thank all of those who liked and retweeted the previous arti… -
The PoSh Hunter CTF
If you want to test your PowerShell skills and interested in threat hunting – the Po…
Load More Related Articles
-
Launching APOLLO: Creating a Simple Tool for Advanced Forensic Analysis
Last week Sarah Edwards attended MacDevOpsYVR in Vancouver, Canada, and had a talk about h… -
A Brief History of Attribution Mistakes
This presentation will examine the analytic mistakes the infosec community has made over t… -
Windows Store & Apps Analysis
Here are research, tools and scripts presented at Magnet User Summit 2019 by Yogesh Khatri…
Load More In Presentations
