So long as Windows remain a popular attack target, researchers and hackers will keep pounding the platform to uncover advanced strategies to subvert Microsoft's defenses.
The bar for security is much higher than it used to be, as Microsoft has added multiple advanced mitigations in Windows 10 that take out entire classes of attacks. While hackers at this year’s Black Hat conference came armed with sophisticated exploitation techniques, there was tacit recognition that developing a successful technique is now much harder with Windows 10. Breaking into Windows through an OS vulnerability is harder than it was even a few years ago.
Use built-in antimalware tools
Microsoft has developed antimalware scan interface (AMSI) tools that can catch malicious scripts in memory. Any application can call it, and any registered antimalware engine can process the content submitted to AMSI, said Nikhal Mittal, penetration tester and associate consultant with NoSoSecure, to attendees at his Black Hat session. Windows Defender and AVG currently use AMSI, and it should become more widely adopted.
“AMSI is a big step toward blocking script-based attacks in Windows,” Mittal said.
Cybercriminals increasingly rely on script-based attacks, especially those that execute on PowerShell, as part of their campaigns. It's tough for organizations to discover attacks using PowerShell because they're hard to differentiate from legitimate behavior. It's also difficult to recover because PowerShell scripts can be used to touch any aspect of the system or network. With practically every Windows system now preloaded with PowerShell, script-based attacks are becoming much more common.
Criminals started using PowerShell and loading scripts in memory, but it took the defenders a while to catch on. “No one cared about PowerShell until a few years back,” Mittal said. “Our scripts are not getting detected at all. Antivirus vendors have only in the past three years embraced it.”
While it's easy to detect scripts saved on disk, it’s not so easy to stop scripts saved to memory from executing. AMSI tries to catch scripts at the host level, which means the input method -- whether saved on disk, stored in memory, or launched interactively -- doesn’t matter, making it a “game changer,” as Mittal said.
However, AMSI can’t stand alone, as the usefulness relies on other security methods. It's very difficult for script-based attacks to execute without generating logs, so it’s important for Windows administrators to regularly monitor their PowerShell logs.
AMSI isn’t perfect -- it's less helpful detecting obfuscated scripts or scripts loaded from unusual places like WMI namespace, registry keys, and event logs. PowerShell scripts executed without using powershell.exe (tools such as network policy server) can also trip up AMSI. There are ways to bypass AMSI, such as changing the signature of scripts, using PowerShell version 2, or disabling AMSI. Regardless, Mittal still considers AMSI “the future of Windows administration.”
Sign up for CIO Asia eNewsletters.