As browser and operating system security have been improving, there has been a rise in conventional malware attacks relying instead on social-engineering based attacks. These socially-engineered attacks often rely on emails containing script-based malware loaders such as JavaScript, Visual Basic Script, or HTA files. When run, these scripts will be hosted with a Windows script execution engine and usually proceeds to download and run malware such as ransomware. Versions of Windows 10 have behavior instrumentation of some of the script execution engines in place, which passes behavior during execution to the default installed security product for scanning through the AMSI interface. In this presentation,
Geoff McDonald and Moustafa Saleh will present how they use this feature combined with machine learning in Windows Defender AV to protect against these attacks by pairing lightweight client behavior models with heavier real-time cloud models:
-
Using MITRE ATT&CK for Forensics: BITS Jobs (T1197)
If you are doing incident response, you must know what MITRE ATT&CK is. As it’s … -
Parsing Carved EVTX Records Using EvtxECmd
Teru Yamazaki has posted about how to extract Windows Event Log files from allocated space… -
PowerShell and Python Together: Targeting Digital Investigations
A new book by Chet Hosmer has been released. The book will teach you how to use PowerShell…
Load More Related Articles
-
A Brief History of Attribution Mistakes
This presentation will examine the analytic mistakes the infosec community has made over t… -
Windows Store & Apps Analysis
Here are research, tools and scripts presented at Magnet User Summit 2019 by Yogesh Khatri… -
Digital Forensics and Incident Response in G Suite
This talk uses a real-life case scenario to prepare attendees for responding to security i…
Load More In Presentations
