As threats continue to intensify, threat actors employ increasingly stealthy infection techniques to gain reverse shells and perform lateral movement within corporate networks. Among these, fileless attack strategies have become a primary method for bypassing even the most advanced endpoint defenses. By abusing native system services—such as PowerShell and LoLBins—in orchestrated attacks, adversaries can escalate privileges, leverage BYOVD (Bring Your Own Vulnerable Driver) techniques to disable core endpoint protections, and implant persistent backdoors.

To address the multi-layered abuse of native services mentioned above, Microsoft introduced AMSI (Antimalware Scan Interface) in Windows 10, deploying it across multiple vulnerable risk architectures within the system. This provides a more precise semantic scan to enable collaborative defense, becoming the main line of defense against early-stage attack threats. ... But, is it really effective?

In this session, we will begin by discussing a paper from CrowdStrike that raises concerns about the AMSI architecture design. We will guide the audience through a reverse engineering approach to break down the PowerShell + AMSI defense framework, exploring The Good, The Bad, and The Ugly. This will involve analyzing the underlying interaction and collaboration process of PowerShell’s architectural components, transforming it into practical and effective exploitation techniques seen in the wild. In terms of detection, we will explore whether multi-layered hooks can mitigate these bypass techniques, helping blue team members gain a deeper understanding of the PowerShell engine.

In this AI revolution, various Transformer-based models have successfully brought AI intelligence into everyday life and commercial applications through GPT-powered chatbots. This surge has led top-tier cybersecurity solutions to demonstrate that automated forensics and network management assistant chatbots can effectively support security investigations and response needs in practice, such as Defender Copilot. However, LLMs still struggle with their inherent hallucination issue, and their abilities can't fully address unexpected attacks from real-world threats.

Therefore, can we develop an AI detection engine that operates without human interaction, enabling 24/7 full-scope monitoring without the need for network administrators or forensic analysts? The vision is to deploy a pre-trained, on-premises AI agent capable of autonomously performing reverse engineering, reasoning, identification, and automated response in real time—without human intervention. This concept represents a new approach to next-generation endpoint detection and protection. Can we absorb the expertise of reverse engineers into a specialized AI model by leveraging large-scale samples?"

In this session, we will take the audience on a journey through academic research in pursuit of autonomous reverse engineering. We will explore how to transition from classic Attention-based Neural Machine Translation (NMT) models to AI agents with symbolic understanding and reasoning capabilities, ultimately training them as practical endpoint detection and reverse reasoning engines.