Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 

Saved Queries

Sign in to use this feature.

Search Filter Reset All

Years

Between: -

Subjects

remove_circle_outline
remove_circle_outline
remove_circle_outline
remove_circle_outline
remove_circle_outline
remove_circle_outline
Add Subjects Reset
Select Subjects

Journals

remove_circle_outline
remove_circle_outline
remove_circle_outline
Add Journals Reset
Select Journals

Article Types

remove_circle_outline
Add Article Types Reset
Select Article Types

Countries / Regions

remove_circle_outline
remove_circle_outline
remove_circle_outline
Add Countries / Regions Reset
Select Countries / Regions
Update Search
share announcement

Search Results (3)

Search Parameters:
Keywords = antimalware scan interface

Order results
Result details
Results per page
Show export options expand_more Show export options expand_less
Select all
Export citation of selected articles as:
26 pages, 2318 KB  
Article
MPSD: A Robust Defense Mechanism against Malicious PowerShell Scripts in Windows Systems
by Min-Hao Wu, Fu-Hau Hsu, Jian-Hong Hunag, Keyuan Wang, Yen-Yu Liu, Jian-Xin Chen, Hao-Jyun Wang and Hao-Tsung Yang
Electronics 2024, 13(18), 3717; https://doi.org/10.3390/electronics13183717 - 19 Sep 2024
Cited by 3 | Viewed by 4481
Abstract
This manuscript introduces MPSD (Malicious PowerShell Script Detector), an advanced tool to protect Windows systems from malicious PowerShell commands and scripts commonly used in fileless malware attacks. These scripts are often hidden in Office document macros or downloaded remotely via PowerShell, posing significant [...] Read more.
This manuscript introduces MPSD (Malicious PowerShell Script Detector), an advanced tool to protect Windows systems from malicious PowerShell commands and scripts commonly used in fileless malware attacks. These scripts are often hidden in Office document macros or downloaded remotely via PowerShell, posing significant threats to corporate networks. A 2018 report revealed that 77% of successful cyberattacks involved fileless malware, with PowerShell being the primary attack method, as highlighted in Red Canary’s 2022 report. To counter these threats, MPSD leverages the Antimalware Scan Interface (AMSI) to intercept and analyze real-time PowerShell scripts, preventing their execution. It further utilizes VirusTotal to filter out malicious scripts. Unlike traditional methods that rely on direct access to scripts, MPSD detects them before execution, addressing the challenge of hidden or obfuscated scripts. Experimental results show that MPSD outperforms well-known antivirus engines, with a low false-negative rate of 1.83%. MPSD is highly effective against evasion techniques like concatenation, encoding, and reordering, making it a robust tool in the cybersecurity landscape. Full article
Show Figures

Figure 1

14 pages, 911 KB  
Article
ScriptBlock Smuggling: Uncovering Stealthy Evasion Techniques in PowerShell and .NET Environments
by Anthony J. Rose, Scott R. Graham, Christine M. Schubert Kabban, Jacob J. Krasnov and Wayne C. Henry
J. Cybersecur. Priv. 2024, 4(2), 153-166; https://doi.org/10.3390/jcp4020008 - 25 Mar 2024
Cited by 2 | Viewed by 4501
Abstract
The Antimalware Scan Interface (AMSI) plays a crucial role in detecting malware within Windows operating systems. This paper presents ScriptBlock Smuggling, a novel evasion and log spoofing technique exploiting PowerShell and .NET environments to circumvent the AMSI. By focusing on the manipulation of [...] Read more.
The Antimalware Scan Interface (AMSI) plays a crucial role in detecting malware within Windows operating systems. This paper presents ScriptBlock Smuggling, a novel evasion and log spoofing technique exploiting PowerShell and .NET environments to circumvent the AMSI. By focusing on the manipulation of ScriptBlocks within the Abstract Syntax Tree (AST), this method creates dual AST representations, one for compiler execution and another for antivirus and log analysis, enabling the evasion of AMSI detection and challenging traditional memory patching bypass methods. This research provides a detailed analysis of PowerShell’s ScriptBlock creation and its inherent security features and pinpoints critical limitations in the AMSI’s capabilities to scrutinize ScriptBlocks and the implications of log spoofing as part of this evasion method. The findings highlight potential avenues for attackers to exploit these vulnerabilities, suggesting the possibility of a new class of AMSI bypasses and their use for log spoofing. In response, this paper proposes a synchronization strategy for ASTs, intended to unify the compilation and malware scanning processes to reduce the threat surfaces in PowerShell and .NET environments. Full article
(This article belongs to the Special Issue Intrusion, Malware Detection and Prevention in Networks)
Show Figures

Figure 1

15 pages, 1837 KB  
Article
Malicious Office Macro Detection: Combined Features with Obfuscation and Suspicious Keywords
by Xiang Chen, Wenbo Wang and Weitao Han
Appl. Sci. 2023, 13(22), 12101; https://doi.org/10.3390/app132212101 - 7 Nov 2023
Cited by 7 | Viewed by 4624
Abstract
Microsoft has implemented several measures to defend against macro viruses, including the use of the Antimalware Scan Interface (AMSI) and automatic macro blocking. Nevertheless, evidence shows that threat actors have found ways to bypass these mechanisms. As a result, phishing emails continue to [...] Read more.
Microsoft has implemented several measures to defend against macro viruses, including the use of the Antimalware Scan Interface (AMSI) and automatic macro blocking. Nevertheless, evidence shows that threat actors have found ways to bypass these mechanisms. As a result, phishing emails continue to utilize malicious macros as their primary attack method. In this paper, we analyze 77 obfuscation features from the attacker’s perspective and extract 46 suspicious keywords in macros. We first combine the aforementioned two types of features to train machine learning models on a public dataset. Then, we conduct the same experiment on a self-constructed dataset consisting of newly discovered samples, in order to verify if our proposed method can identify previously unseen malicious macros. Experimental results demonstrate that, compared to existing methods, our proposed method has a higher detection rate and better consistency. Furthermore, ensemble multi-classifiers with distinct feature selection can further enhance the detection performance. Full article
(This article belongs to the Collection Innovation in Information Security)
Show Figures

Figure 1

Show export options expand_more Show export options expand_less
Select all
Export citation of selected articles as:
 
Displaying article 1-50 on page 1 of 1.
Back to TopTop