APJudge: An AMSI-based Solution to Fileless Attacks

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：6

、訪客IP：18.218.184.214

姓名

劉彥佑(Yen-Yu Liu) 查詢紙本館藏

畢業系所

資訊工程學系在職專班

論文名稱

(APJudge: An AMSI-based Solution to Fileless Attacks)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統	★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks	★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
★ Shark: Phishing Information Recycling from Spam Mails	★ FFRTD: Beat Fast-Flux by Response Time Differences
★ Antivirus Software Shield against Antivirus Terminators	★ MAC-YURI : My ACcount, YoUr ResponsIbility
★ KKBB: Kernel Keylogger Bye-Bye	★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 (2027-6-30以後開放)

摘要(中)

惡意程式隨著攻擊手法不斷演進，逐漸從檔案類型惡意程式演變為搭配無檔案攻擊技術的惡意程式，為了防禦惡意程式攻擊，傳統防毒軟體大多是屬於檔案類型的掃描技術，透過資料庫中的特徵碼偵測檔案類型惡意程式，但無法有效應對無檔案惡意程式攻擊，例如Windows Office文件的巨集功能所提供的腳本指令，或使用Microsoft PowerShell系統管理工具，將惡意程式直接載入到記憶體執行，而不會將惡意程式以檔案形式存放在儲存裝置中，藉此躲避防毒軟體偵測，同時減少留在目標裝置中的足跡，而增加調查攻擊手法的困難度。因此我們提出一套基於Antimalware Scan Interface Provider的檢測機制APJudge，當PowerShell執行腳本指令載入惡意程式內容時，會攔截其內容並進行檢測，再依據檢測結果判斷是否為惡意程式，並終止惡意程式的執行，藉此防止無檔案惡意攻擊的威脅。

摘要(英)

With the continuous evolution of attack techniques, malware has gradually evolved from file-based malware to fileless attacks. To defend against fileless malware, traditional antivirus software is generally file-based scanning techniques to detect file-based malware. However, they usually can’t effectively deal with fileless malware attacks, such as scripts in the macro of Windows Office documents, or the system administrator tool Microsoft PowerShell. Those attacks can execute malware in memory directly without the need to store the malware in a filesystem. Evade detection by antivirus software, and reduce the trace left on the target device to increase the difficulty of investigating fileless attacks. Therefore, we propose a detection mechanism APJudge based on Antimalware Scan Interface Provider. When PowerShell executes scripts to load malicious contents, it will intercept the contents and distinguish them between benign and malicious according to the detection result. Finally terminate the malicious process to prevent the threat of fileless malicious attacks.

關鍵字(中)

★ 無檔案攻擊

關鍵字(英)

★ PowerShell
★ Antimalware Scan Interface
★ AMSI

論文目次

摘要 i
Abstract ii
誌謝 iii
目錄 iv
圖目錄 vi
表目錄 viii
第1章緒論 1
第2章背景介紹 2
2.1 無檔案惡意程式 2
2.2 無檔案惡意程式特性 3
第3章相關研究 7
3.1 Antimalware Scan Interface 7
3.2 AMSI架構及執行流程 8
第4章系統設計與架構 12
4.1 設計原理 12
4.2 系統架構 14
4.2.1 Register 16
4.2.2 Scanner 17
4.2.3 Hashing 18
4.2.4 Requester 19
4.2.5 Judge 20
4.3 系統流程 21
第5章系統評估 23
5.1 系統環境 23
5.2 系統結果 23
5.3 效果評估 28
5.4 效果比較 34
第6章討論 37
6.1 系統限制 37
6.2 未來展望 38
第7章總結 39
參考文獻 40

參考文獻

[1] Trend Labs趨勢科技全球技術支援與研發中心. 無檔案惡意程式(Fileless Malware)五種運作方式. (2019). [Online]. Available: https://blog.trendmicro.com.tw/?p=58512#more-58512
[2] B.N. Sanjay, D.C. Rakshith, R.B. Akash, and Dr.Vinay V. Hegde, "An Approach to Detect Fileless Malware and Defend its Evasive mechanisms," in Computational Systems and Information Technology for Sustainable Solutions (CSITSS), 2018 3rd International Conference, pp. 234-239.
[3] Wikipedia. (2022). HTML Application. [Online]. Available: https://en.wikipedia.org/wiki/HTML_Application
[4] Microsoft. (2022). Fileless threats. [Online]. Available: https://docs.microsoft.com/zh-tw/microsoft-365/security/intelligence/fileless-threats?view=o365-worldwide
[5] Tricia Howard. (2020). Powershell Obfuscation Demystified Series Chapter 1: Intro. [Online]. Available: https://www.cynet.com/attack-techniques-hands-on/powershell-obfuscation-demystified-series-chapter-1-intro/
[6] D. Hendler, S. Kels, and A. Rubin, "AMSI-Based Detection of Malicious PowerShell Code Using Contextual Embeddings," in Proceedings of the 15th ACM Asia Conference on Computer and Communications Security. ACM, 2020, pp. 679-693.
[7] Shiran Grinberg. (2022). Office Macro Attacks. [Online]. Available: https://www.cynet.com/attack-techniques-hands-on/office-macro-attacks/
[8] Tom Leemreize. (2021). Analyzing Fileless Malware for the .NET Framework through CLR Profiling. [Online]. Available: http://essay.utwente.nl/86340/1/Leemreize_MA_EEMCS.pdf
[9] PowerShellMafia. (2020). PowerSploit - A PowerShell Post-Exploitation Framework. [Online]. Available: https://github.com/PowerShellMafia/PowerSploit
[10] Joe Bialek. Invoke-ReflectivePEInjection. [Online]. Available: https://powersploit.readthedocs.io/en/latest/CodeExecution/Invoke-ReflectivePEInjection/
[11] Stephen Fewer. (2013). ReflectiveDLLInjection. [Online]. Available: https://github.com/stephenfewer/ReflectiveDLLInjection
[12] Offensive Security. USING THE MSFCONSOLE INTERFACE. [Online]. Available: https://www.offensive-security.com/metasploit-unleashed/msfconsole/
[13] Rapid7. (2021). reflective_dll_inject.rb. [Online]. Available: https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/manage/reflective_dll_inject.rb
[14] Penetration Testing Lab. (2017). DLL Injection. [Online]. Available: https://pentestlab.blog/2017/04/04/dll-injection/
[15] Deep Instinct. (2018). MAKING SENSE OF FILELESS MALWARE. [Online]. Available: https://www.boll.ch/deepinstinct/assets/Deep_Instinct_Making_sense_of_fileless_malware.pdf
[16] MICHAEL GORELIK. (2017). IRANIAN FILELESS ATTACK INFILTRATES ISRAELI ORGANIZATIONS. [Online]. Available: https://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability
[17] Microsoft Security Team. (2018). Office VBA + AMSI: Parting the veil on malicious macros. [Online]. Available: https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/
[18] Microsoft Defender Security Research Team. (2015). Windows 10 to offer application developers new malware defenses. [Online]. Available: https://www.microsoft.com/security/blog/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/
[19] Microsoft. (2019). Antimalware Scan Interface (AMSI). [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal
[20] Microsoft. (2019). How the Antimalware Scan Interface (AMSI) helps you defend against malware. [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps
[21] Microsoft. (2021). Antimalware Scan Interface (AMSI) functions. [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-functions
[22] Microsoft. (2021). AmsiScanBuffer function (amsi.h). [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/api/amsi/nf-amsi-amsiscanbuffer
[23] Microsoft. (2021). AmsiScanString function (amsi.h). [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/api/amsi/nf-amsi-amsiscanstring
[24] Microsoft. (2021). Antimalware Scan Interface (AMSI) interfaces. [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-interfaces
[25] Microsoft. (2021). IAmsiStream::GetAttribute method (amsi.h). [Online]. Available: https://docs.microsoft.com/zh-tw/windows/win32/api/amsi/nf-amsi-iamsistream-getattribute
[26] Microsoft. (2021). IAntimalware::Scan method (amsi.h). [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/api/amsi/nf-amsi-iantimalware-scan
[27] Microsoft. (2020). Developer audience, and sample code. [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/amsi/dev-audience
[28] Microsoft. (2021). IAntimalwareProvider interface (amsi.h). [Online]. Available: https://docs.microsoft.com/zh-tw/windows/win32/api/amsi/nn-amsi-iantimalwareprovider
[29] Microsoft. (2021). IAntimalwareProvider::Scan method (amsi.h). [Online]. Available: https://docs.microsoft.com/zh-tw/windows/win32/api/amsi/nf-amsi-iantimalwareprovider-scan?redirectedfrom=MSDN
[30] Jeffrey Tang. (2018). How to Implement an Anti-Malware Scanning Interface Provider. [Online]. Available: https://blogs.blackberry.com/en/2018/04/how-to-implement-anti-malware-scanning-interface-provider
[31] PowerShell Team. (2021). CompiledScriptBlock.cs. [Online]. Available: https://github.com/PowerShell/PowerShell/blob/master/src/System.Management.Automation/engine/runtime/CompiledScriptBlock.cs
[32] PowerShell Team. (2022). SecuritySupport.cs. [Online]. Available: https://github.com/PowerShell/PowerShell/blob/master/src/System.Management.Automation/security/SecuritySupport.cs
[33] Microsoft. (2021). AMSI_RESULT enumeration (amsi.h). [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/api/amsi/ne-amsi-amsi_result
[34] VirusTotal. VirusTotal Developer Hub. [Online]. Available: https://developers.virustotal.com/v2.0
[35] Microsoft. (2020). IAntimalwareProvider interface sample. [Online]. Available: https://github.com/Microsoft/Windows-classic-samples/tree/main/Samples/AmsiProvider
[36] Microsoft. (2021). IAmsiStream interface (amsi.h). [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/api/amsi/nn-amsi-iamsistream
[37] Microsoft. (2018). AmsiProvider.cpp. [Online]. Available: https://github.com/microsoft/Windows-classic-samples/blob/main/Samples/AmsiProvider/AmsiProvider.cpp
[38] Microsoft. (2021). AMSI_ATTRIBUTE enumeration (amsi.h). [Online]. Available: https://docs.microsoft.com/zh-tw/windows/win32/api/amsi/ne-amsi-amsi_attribute
[39] OpenSSL. Welcome to the OpenSSL Project. [Online]. Available: https://github.com/openssl/openssl/
[40] TroubleChute. (2019). Build + Use OpenSSL with Visual Studio 2019 or 2017 | Static & Shared | x32 & x64. [Online]. Available: https://www.youtube.com/watch?v=PMHEoBkxYaQ
[41] curl. command line tool and library for transferring data with URLs. [Online]. Available: https://curl.se/
[42] TroubleChute. (2019). Build + Use static CURL with Visual Studio 2019 or 2017. [Online]. Available: https://www.youtube.com/watch?v=q_mXVZ6VJs4
[43] Fwxs. (2019). virustotalcpp. [Online]. Available: https://github.com/fwxs/virustotalcpp
[44] open-source-parsers. JsonCpp. [Online]. Available: https://github.com/open-source-parsers/jsoncpp
[45] Kamory. (2021). C++ 與 JSON - 使用 jsoncpp. [Online]. Available: https://kamory0931.pixnet.net/blog/post/219956370-c%2B%2B-%E8%88%87-json-%282%29---jsoncpp
[46] BC-SECURITY. (2021). Invoke-Mimikatz.ps1. [Online]. Available: https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1
[47] Max Malyutin. (2022). POWERSHELL OBFUSCATION DEMYSTIFIED SERIES CHAPTER 2: CONCATENATION AND BASE64 ENCODING. [Online]. Available: https://www.cynet.com/attack-techniques-hands-on/powershell-obfuscation-demystified-series-chapter-2-concatenation-and-base64-encoding/
[48] Offensive Security. MSFVENOM. [Online]. Available: https://www.offensive-security.com/metasploit-unleashed/msfvenom/
[49] Mariusz Banach. (2018). Various-Macro-Based-RCEs.md. [Online]. Available: https://gist.github.com/mgeeky/9dee0ac86c65cdd9cb5a2f64cef51991
[50] Raj Chandel. (2021). Msfvenom Cheatsheet: Windows Exploitation. [Online]. Available: https://www.hackingarticles.in/msfvenom-cheatsheet-windows-exploitation/
[51] Techsuii Channel. (2017). Create Powershell Base64 with powershell/base64 Encoder module. [Online]. Available: https://www.youtube.com/watch?v=T_dv7-JB-vY
[52] Microsoft. Microsoft Github. [Online]. Available: https://github.com/microsoft
[53] MalwareBazaar. [Online]. Available: https://bazaar.abuse.ch/

指導教授

許富皓

審核日期

2022-6-9

推文