As browser and operating system security have been improving, there has been a rise in conventional malware attacks relying instead on social-engineering based attacks. These socially-engineered attacks often rely on emails containing script-based malware loaders such as JavaScript, Visual Basic Script, or HTA files. When run, these scripts will be hosted with a Windows script execution engine and usually proceeds to download and run malware such as ransomware. Versions of Windows 10 have behavior instrumentation of some of the script execution engines in place, which passes behavior during execution to the default installed security product for scanning through the AMSI interface. In this presentation,
Geoff McDonald and Moustafa Saleh will present how they use this feature combined with machine learning in Windows Defender AV to protect against these attacks by pairing lightweight client behavior models with heavier real-time cloud models:
-
Incident Forensics Lifecycle
Recently I’m becoming more and more interested in cyber threat intelligence. I even … -
Shining a light on Spotlight: Leveraging Apple’s desktop search utility to recover deleted file metadata on macOS
Spotlight is a proprietary desktop search technology released by Apple in 2004 for its Mac… -
Load More Related Articles
-
-
Lean Hunting
(Threat) Hunting has been around long enough that most agree it should be part of any comp… -
Load More In Presentations
