Microsoft has been working on an answer to some clever new techniques used in penetration-testing kits to bypass Windows Defender Advanced Threat Protection (ATP), its key security platform for protecting Windows 10 in the enterprise.
The malware Microsoft spotted relies on techniques from penetration-testing kit Sharpshooter, which generates payloads in multiple Windows formats and can avoid detection by enterprise anti-malware products.
"The Sharpshooter technique allows an attacker to use a script to execute a .NET binary directly from memory without ever needing to reside on the disk," explains Andrea Lelli of the Windows Defender Research team.
"This technique provides a framework that can enable attackers to easily repackage the same binary payload within a script."
But Lelli says when Sharpshooter was published, Microsoft got ahead of attacks that may use the framework and "implemented a detection algorithm based on runtime activity rather than on the static script", specifically to detect threats derived by Sharpshooter.
"The detection algorithm leverages AMSI support in scripting engines and targets a generic malicious behavior, a fingerprint of the malicious fileless technique," writes Lelli.
"Script engines have the capability to log the APIs called by a script at runtime. This API logging is dynamic and is therefore not hindered by obfuscation: a script can hide its code, but it cannot hide its behavior. The log can then be scanned by antivirus solutions via AMSI when certain dangerous APIs (ie, triggers) are invoked."
In this case, Windows Defender ATP combined with AMSI and was able to detect two malware campaigns in June that used a VBScript based on Sharpshooter to deliver a "very stealthy" .NET executable payload.
The payload downloads the decryption key to unlock the core malware that executes in memory and is not written to disk.
Microsoft believes this attack using real malware was deployed as part of a penetration-testing exercise as opposed to an actual targeted attack.