Microsoft has been working on an answer to some clever new techniques used in penetration-testing kits to bypass Windows Defender Advanced Threat Protection (ATP), its key security platform for protecting Windows 10 in the enterprise.
Microsoft reports that it has detected two instances of fileless malware used to deliver information stealers that run in memory without an executable file being written to disk.
Fileless malware is on the rise, thanks to freely available tools that can be used to improve defenses or launch an attack.
The malware Microsoft spotted relies on techniques from penetration-testing kit Sharpshooter, which generates payloads in multiple Windows formats and can avoid detection by enterprise anti-malware products.
"The Sharpshooter technique allows an attacker to use a script to execute a .NET binary directly from memory without ever needing to reside on the disk," explains Andrea Lelli of the Windows Defender Research team.
"This technique provides a framework that can enable attackers to easily repackage the same binary payload within a script."
But Lelli says when Sharpshooter was published, Microsoft got ahead of attacks that may use the framework and "implemented a detection algorithm based on runtime activity rather than on the static script", specifically to detect threats derived by Sharpshooter.
"The detection algorithm leverages AMSI support in scripting engines and targets a generic malicious behavior, a fingerprint of the malicious fileless technique," writes Lelli.
"Script engines have the capability to log the APIs called by a script at runtime. This API logging is dynamic and is therefore not hindered by obfuscation: a script can hide its code, but it cannot hide its behavior. The log can then be scanned by antivirus solutions via AMSI when certain dangerous APIs (ie, triggers) are invoked."
In this case, Windows Defender ATP combined with AMSI and was able to detect two malware campaigns in June that used a VBScript based on Sharpshooter to deliver a "very stealthy" .NET executable payload.
The payload downloads the decryption key to unlock the core malware that executes in memory and is not written to disk.
Microsoft believes this attack using real malware was deployed as part of a penetration-testing exercise as opposed to an actual targeted attack.
Previous and related coverage
Just scanning a specially-crafted file could lead to a totally compromised Windows machine.
Windows Defender trails third-party antivirus in tests, but Microsoft says you should still use it over other products.
Microsoft preps new Windows 10 security features to ensure system integrity during start-up and after it's running.
Microsoft details some of the ways Windows Defender ATP analyses files and software.
Sysadmins aren't satisfied with the quality of Windows 10 updates.
Windows Defender will soon delete programs that trick you into paying for a service with alarming messages about the health of your computer.