Presentation on AV and their operation. Some information about static, dynamic and network activities. AMSI, metasploit templates and signing binary file
2. BEHIND THE AV LINE
ANTIVIRUSES
https://www.av-comparatives.org/list-of-enterprise-av-vendors-pc/
3. BEHIND THE AV LINE
BEYOND THE ANTIVIRUS, OR THE WORLD OF EDR
▸ Usually two components.
▸ Kernel mode (one or more drivers)
- processes monitoring
▸ Usermode (usually as a service)
- supporting function reinstall/update
- API hooking in the process
5. BEHIND THE AV LINE
AMSI
▸ The Windows Antimalware Scan
Interface (AMSI) is a versatile interface
standard that allows your applications
and services to integrate with any
antimalware product that's present on a
machine.
▸ AMSI provides enhanced malware
protection for your
end-users and their data, applications,
and workloads.
https://github.com/BC-SECURITY/DEFCON27/blob/master/Introduction_to_AMSI_Bypasses_and_Sandbox_Evasion.pdf
6. BEHIND THE AV LINE
WINDOWS COMPONENTS THAT INTEGRATE WITH AMSI
▸ User Account Control, or UAC (elevation of EXE, COM, MSI, or ActiveX
installation)
▸ PowerShell (scripts, interactive use, and dynamic code evaluation)
▸ Windows Script Host (wscript.exe and cscript.exe)
▸ JavaScript and VBScript
▸ Office VBA macros
7. BEHIND THE AV LINE
AMSI
https://github.com/BC-SECURITY/DEFCON27/blob/master/Introduction_to_AMSI_Bypasses_and_Sandbox_Evasion.pdf