Zobrazit v EDS

ScriptBlock Smuggling: Uncovering Stealthy Evasion Techniques in PowerShell and.NET Environments.

Uloženo v:
Podrobná bibliografie
Název: ScriptBlock Smuggling: Uncovering Stealthy Evasion Techniques in PowerShell and.NET Environments.
Autoři: Rose, Anthony J., Graham, Scott R., Schubert Kabban, Christine M., Krasnov, Jacob J., Henry, Wayne C.
Zdroj: Journal of Cybersecurity & Privacy; Jun2024, Vol. 4 Issue 2, p153-166, 14p
Témata: ANTI-malware (Computer software), COMPUTER operating systems, ANTIVIRUS software, SYNCHRONIZATION, PHISHING
Abstrakt: The Antimalware Scan Interface (AMSI) plays a crucial role in detecting malware within Windows operating systems. This paper presents ScriptBlock Smuggling, a novel evasion and log spoofing technique exploiting PowerShell and.NET environments to circumvent the AMSI. By focusing on the manipulation of ScriptBlocks within the Abstract Syntax Tree (AST), this method creates dual AST representations, one for compiler execution and another for antivirus and log analysis, enabling the evasion of AMSI detection and challenging traditional memory patching bypass methods. This research provides a detailed analysis of PowerShell's ScriptBlock creation and its inherent security features and pinpoints critical limitations in the AMSI's capabilities to scrutinize ScriptBlocks and the implications of log spoofing as part of this evasion method. The findings highlight potential avenues for attackers to exploit these vulnerabilities, suggesting the possibility of a new class of AMSI bypasses and their use for log spoofing. In response, this paper proposes a synchronization strategy for ASTs, intended to unify the compilation and malware scanning processes to reduce the threat surfaces in PowerShell and.NET environments. [ABSTRACT FROM AUTHOR]
Copyright of Journal of Cybersecurity & Privacy is the property of MDPI and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)
Databáze: Complementary Index
Popis
Abstrakt:The Antimalware Scan Interface (AMSI) plays a crucial role in detecting malware within Windows operating systems. This paper presents ScriptBlock Smuggling, a novel evasion and log spoofing technique exploiting PowerShell and.NET environments to circumvent the AMSI. By focusing on the manipulation of ScriptBlocks within the Abstract Syntax Tree (AST), this method creates dual AST representations, one for compiler execution and another for antivirus and log analysis, enabling the evasion of AMSI detection and challenging traditional memory patching bypass methods. This research provides a detailed analysis of PowerShell's ScriptBlock creation and its inherent security features and pinpoints critical limitations in the AMSI's capabilities to scrutinize ScriptBlocks and the implications of log spoofing as part of this evasion method. The findings highlight potential avenues for attackers to exploit these vulnerabilities, suggesting the possibility of a new class of AMSI bypasses and their use for log spoofing. In response, this paper proposes a synchronization strategy for ASTs, intended to unify the compilation and malware scanning processes to reduce the threat surfaces in PowerShell and.NET environments. [ABSTRACT FROM AUTHOR]
ISSN:2624800X
DOI:10.3390/jcp4020008