AMSI and Machine Learning Help to Stop Active Directory Attacks and Other Post-exploitation Behavior

 

Last week, Microsoft Defender ATP Research team blogged about Antimalware Scan Interface (AMSI)-driven behavior-based machine learning protections. AMSI helps security software detect malicious scripts by revealing script content and behavior. AMSI integrates with scripting engines on Windows 10 as well as Office 365 VBA to provide insights into the execution of PowerShell, WMI, VBScript, JavaScript, and Office VBA macros. So basically, AMSI’s provide visibility into scripts along with the ability to harness the power of machine learning and cloud-delivered protection to detect and stop malicious behavior. 

AMSI-driven behavior-based machine learning protections are critical in detecting and stopping post-exploitation activities like BloodHound-based and Kerberoasting attacks, which employ evasive malicious scripts, including fileless components. With AMSI, script content and behavior are exposed, allowing Microsoft Defender ATP to foil reconnaissance activities and prevent attacks from progressing. 

To dive deeper into this subject, read more from the Microsoft Defender ATP Research Team here. 

Learn more about securing hybrid Microsoft environments in our on-demand webinar, 3 Keys to Secure Hybrid Microsoft Management. 

Check out these relevant resources.