Explore an offensive PowerShell module for interacting with the Anti-Malware Scan Interface in Windows through this 42-minute Derbycon 7 conference talk. Delve into the continued relevance of offensive PowerShell, the workings of PSAmsi, and techniques for signature detection and obfuscation. Learn about automating the obfuscation process, client-server architecture for evasion, and evolving strategies. Gain insights into the PSAmsi scanner class, finding MSI signatures, and implementing obfuscation examples. Discover how to leverage Group Policy and understand the implications for offensive security operations.
PSAmsi - An Offensive PowerShell Module for Interacting with the Anti Malware Scan Interface
via YouTube
Overview
Syllabus
Introduction
Who am I
My goals
Offensive PowerShell Dead Yet
Offensive PowerShell is not dead yet
Most organizations havent moved to Windows 10
PowerShell is open source
Macgraver
How it works
Why PSAmsi
Demo
PSAmsi scanner class
Find MSI signatures
Example script
Finding signatures
Obfuscation
Obfuscation example
Revo confiscation
How do we automate this process
Get minimally obfuscated
Clientserver architecture
Server side functionality
Invoke obfuscate
Limit alerts
Scan find signatures
Obfuscated signatures
Evolving
More languages
Group Policy
Closing remarks
PSAMC
Credits
