As threats continue to intensify, threat actors employ increasingly stealthy infection techniques to gain reverse shells and perform lateral movement within corporate networks. Among these, fileless attack strategies have become a primary method for bypassing even the most advanced endpoint defenses. By abusing native system services—such as PowerShell and LoLBins—in orchestrated attacks, adversaries can escalate privileges, leverage BYOVD (Bring Your Own Vulnerable Driver) techniques to disable core endpoint protections, and implant persistent backdoors.

To address the multi-layered abuse of native services mentioned above, Microsoft introduced AMSI (Antimalware Scan Interface) in Windows 10, deploying it across multiple vulnerable risk architectures within the system. This provides a more precise semantic scan to enable collaborative defense, becoming the main line of defense against early-stage attack threats. ... But, is it really effective?

In this session, we will begin by discussing a paper from CrowdStrike that raises concerns about the AMSI architecture design. We will guide the audience through a reverse engineering approach to break down the PowerShell + AMSI defense framework, exploring The Good, The Bad, and The Ugly. This will involve analyzing the underlying interaction and collaboration process of PowerShell’s architectural components, transforming it into practical and effective exploitation techniques seen in the wild. In terms of detection, we will explore whether multi-layered hooks can mitigate these bypass techniques, helping blue team members gain a deeper understanding of the PowerShell engine.