Hackers at this year’s Black Hat conference admitted that developing a successful technique is now much harder with Windows 10.
According to PC World one of the problems is that Vole has developed antimalware scan interface (AMSI) tools that can catch malicious scripts in memory.
It quoted Nikhal Mittal, penetration tester and associate consultant with NoSoSecure as saying that any application can call it, and any registered antimalware engine can process the content submitted to AMSI. Windows Defender and AVG currently use AMSI, and it should become more widely adopted as this effectively blocks script-based attacks.
AMSI needs to work with other security methods and Windows administrators need to regularly monitor their PowerShell logs.
It can’t detect obfuscated scripts or scripts loaded from unusual places like WMI namespace, registry keys, and event logs and there are ways to bypass it by changing the signature of scripts, using PowerShell version 2, or disabling AMSI.
Another hacker headache is Microsoft’s virtualisation-based security (VBS), a set of security features baked into the hypervisor, in Windows 10.
Rafal Wojtczuk, chief security architect at Bromium said that despite its limited scope, VBS is useful -- it prevents certain attacks that are straightforward without it.
“The security posture of VBS looks good, and it improves the security of a system -- certainly it requires additional highly nontrivial effort to find suitable vulnerability allowing the bypass,” Wojtczuk said.
It is a pity really Vole did rather well with Windows 10, it is just a pity it blotted the whole thing by forcing it onto people and broadcasting so many personal details to Microsoft.