Windows 10 AMSI-instrumentation ML classification for Preventing Script Based Attacks
In this presentation we will be presenting how machine learning can be applied to detect and stop the execution of already-running malicious scripts on Windows using a feature called AMSI. Versions of Windows 10 have AMSI script integration where the Windows script execution engines monitor script calls to COM interfaces during execution and passes this information to the default installed security product for scanning. Security products can access these logs and make a blocking decision that will abort the execution of the script. Firstly, we will present details on how the AMSI integration works and what these logs look like for malicious scripts. Next, we will present research on how deep-learning LSTM models can be used to classify malicious script behavior. And finally, we will present a more practical approach we’ve deployed using lightweight client models paired with heavy cloud models to deliver protection from these malicious scripts in real-time during execution.