As browser and operating system security have been improving, there has been a rise in conventional malware attacks relying instead on social-engineering based attacks. These socially-engineered attacks often rely on emails containing script-based malware loaders such as JavaScript, Visual Basic Script, or HTA files. When run, these scripts will be hosted with a Windows script execution engine and usually proceeds to download and run malware such as ransomware. Versions of Windows 10 have behavior instrumentation of some of the script execution engines in place, which passes behavior during execution to the default installed security product for scanning through the AMSI interface. In this presentation,
Geoff McDonald and Moustafa Saleh will present how they use this feature combined with machine learning in Windows Defender AV to protect against these attacks by pairing lightweight client behavior models with heavier real-time cloud models:
-
volatility-wnf: Browse and dump Windows Notification Facilities
This Volatility plugin is based on work of Alex Ionescu and Gabrielle Viala. https://blog.… -
Learning Android Forensics, 2nd Edition has been released
The 2nd edition of Learning Android Forensics by Oleg Skulkin, Donnie Tindal and Rohit Tam… -
yara_tools: Create YARA Rules In Python
Michael Matonis has written a library that helps security researchers create simple or com…
Load More Related Articles
-
Comae Stardust – New Features
Matt Suiche has recorded a presentation on the new features of Comae Stardust, such as pro… -
Smartphone Forensics: Why Building a Toolbox Matters
In the world of forensics, mobile device investigations could be the most complicated of a… -
MalDozer: Automatic Framework for Android Malware Chasing Using Deep Learning
ElMouatez Billah Karbab discusses his work at DFRWS EU 2018: …
Load More In Presentations
