Windows 10 AMSI-instrumentation ML classification for Preventing Script Based Attacks

As browser and operating system security have been improving, there has been a decline in conventional drive-by exploit attacks and a rise in social-engineering based attacks instead. One of the main types of social engineering attacks employs emails with attached archives containing script-based malware loaders. Usually these scripts are JavaScript, Visual Basic Script, or HTA files. If a user opens one of these scripts, the script will be hosted with a Windows script execution engine and usually proceeds to download and run malware such as ransomware. Traditional AV signature-based approaches to these attacks are often not practical since the time from a new email attack campaign starting to signature release is not fast enough. Machine learning is needed to effectively address this issue.

In this presentation we will be presenting how machine learning can be applied to detect and stop the execution of already-running malicious scripts on Windows using a feature called AMSI. Versions of Windows 10 have AMSI script integration where the Windows script execution engines monitor script calls to COM interfaces during execution and passes this information to the default installed security product for scanning. Security products can access these logs and make a blocking decision that will abort the execution of the script. Firstly, we will present details on how the AMSI integration works and what these logs look like for malicious scripts. Next, we will present research on how deep-learning LSTM models can be used to classify malicious script behavior. And finally, we will present a more practical approach we’ve deployed using lightweight client models paired with heavy cloud models to deliver protection from these malicious scripts in real-time during execution.