Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Microsoft Defender
How the hell WD works on Windows Home & Pro?
Message
<blockquote data-quote="Andy Ful" data-source="post: 935244" data-attributes="member: 32260"><p><strong><span style="font-size: 18px">Some info about training AMSI machine learning models.</span></strong></p><p></p><p><em>"<a href="https://docs.microsoft.com/windows/desktop/amsi/antimalware-scan-interface-portal" target="_blank">Antimalware Scan Interface (AMSI)</a> helps security software to detect such malicious scripts by exposing script content and behavior. AMSI integrates with scripting engines on Windows 10 as well as <a href="https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/" target="_blank">Office 365 VBA</a> to provide insights into the execution of PowerShell, WMI, VBScript, JavaScript, and Office VBA macros. <a href="https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment" target="_blank">Behavioral blocking and containment capabilities</a> in <a href="https://www.microsoft.com/WindowsForBusiness/windows-atp" target="_blank">Microsoft Defender Advanced Threat Protection (ATP)</a> take full advantage of AMSI’s visibility into scripts and harness the power of machine learning and cloud-delivered protection to detect and stop malicious behavior. In the broader delivery of coordinated defense, the AMSI-driven detection of malicious scripts on endpoints helps <a href="https://www.microsoft.com/security/technology/threat-protection" target="_blank">Microsoft Threat Protection</a>, which combines signals from Microsoft Defender ATP and other solutions in the Microsoft 365 security portfolio, to detect <a href="https://www.microsoft.com/security/blog/2020/07/29/inside-microsoft-threat-protection-solving-cross-domain-security-incidents-through-the-power-of-correlation-analytics/" target="_blank">cross-domain attack chains</a>.</em></p><p><em>On endpoints, performance-optimized machine learning models inspect script content and behavior through AMSI. When scripts run and malicious or suspicious behavior is detected, features are extracted from the content, including expert features, features selected by machine learning, and fuzzy hashes. The lightweight client machine learning models make inferences on the content. If the content is classified as suspicious, the feature description is sent to the cloud for full real-time classification. In the cloud, heavier counterpart machine learning models analyze the metadata and uses additional signals like file age, prevalence, and other such information to determine whether the script should be blocked or not.</em></p><p><em>These pairs of AMSI-powered machine learning classifiers, one pair for each scripting engine, allow Microsoft Defender ATP to detect malicious behavior and stop post-exploitation techniques and other script-based attacks, even after they have started running. In this blog, we’ll discuss examples of Active Directory attacks, including fileless threats, foiled by AMSI machine learning.</em>"</p><p></p><p>[SPOILER]</p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2020/08/fig1-pair-of-AMSI-machine-learning-models.png" alt="Diagram showing pairs of machine learning models on the endpoint and in the cloud using AMSI to detect malicious scripts" class="fr-fic fr-dii fr-draggable " style="" /></p><p><em>Figure 1. Pair of AMSI machine learning models on the client and in the cloud</em></p><p>[/SPOILER]</p><p></p><p>....</p><p></p><p>"<em>To ensure continued high-quality detection of threats, the AMSI machine learning models are trained per scripting engine using real-time protection data and threat investigations.</em></p><p><em>Featurization is key to machine learning models making intelligent decisions about whether content is malicious or benign. For behavior-based script logs, we extract the set of libraries, COM object, and function names used by the script. Learning the most important features within the script content is performed through a combination of character ngramming the script or behavior log, followed by semi-asynchronous stochastic dual coordinate ascent (SA-SDCA) algorithm with L1 regularization feature trimming to learn and deploy the most important character ngram features.</em></p><p><em>On top of the same features used to train the client models, other complex features used to train the cloud modes include fuzzy hashes, cluster hashes, partial hashes, and more. In addition, the cloud models have access to other information like age, prevalence, global file information, reputation and others, which allow cloud models to make more accurate decisions for blocking.</em>"</p><p></p><p>"<em>On endpoints, <a href="https://www.microsoft.com/WindowsForBusiness/windows-atp" target="_blank">Microsoft Defender ATP</a> uses multiple next-generation protection engines that detect a wide range of threats. One of these engines uses insights from AMSI and pairs of machine learning models on the client and in the cloud working together to detect and stop malicious scripts post-execution.</em></p><p><em>These pairs of AMSI models, one pair for each scripting engine, are part of the behavior-based blocking and containment capabilities in Microsoft Defender ATP, which are designed to detect and stop threats even after they have started running. When running, threats are exposed and can’t hide behind encryption or obfuscation. This adds another layer of protection for instances where sophisticated threats are able to slip through pre-execution defenses.</em>"</p><p></p><p>[URL unfurl="true"]https://www.microsoft.com/security/blog/2020/08/27/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning/[/URL]</p><p></p><p>Edit.</p><p>Interesting article about AMSI-based detections (a lot of articles in the bibliography).</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 935244, member: 32260"] [B][SIZE=5]Some info about training AMSI machine learning models.[/SIZE][/B] [I]"[URL='https://docs.microsoft.com/windows/desktop/amsi/antimalware-scan-interface-portal']Antimalware Scan Interface (AMSI)[/URL] helps security software to detect such malicious scripts by exposing script content and behavior. AMSI integrates with scripting engines on Windows 10 as well as [URL='https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/']Office 365 VBA[/URL] to provide insights into the execution of PowerShell, WMI, VBScript, JavaScript, and Office VBA macros. [URL='https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment']Behavioral blocking and containment capabilities[/URL] in [URL='https://www.microsoft.com/WindowsForBusiness/windows-atp']Microsoft Defender Advanced Threat Protection (ATP)[/URL] take full advantage of AMSI’s visibility into scripts and harness the power of machine learning and cloud-delivered protection to detect and stop malicious behavior. In the broader delivery of coordinated defense, the AMSI-driven detection of malicious scripts on endpoints helps [URL='https://www.microsoft.com/security/technology/threat-protection']Microsoft Threat Protection[/URL], which combines signals from Microsoft Defender ATP and other solutions in the Microsoft 365 security portfolio, to detect [URL='https://www.microsoft.com/security/blog/2020/07/29/inside-microsoft-threat-protection-solving-cross-domain-security-incidents-through-the-power-of-correlation-analytics/']cross-domain attack chains[/URL]. On endpoints, performance-optimized machine learning models inspect script content and behavior through AMSI. When scripts run and malicious or suspicious behavior is detected, features are extracted from the content, including expert features, features selected by machine learning, and fuzzy hashes. The lightweight client machine learning models make inferences on the content. If the content is classified as suspicious, the feature description is sent to the cloud for full real-time classification. In the cloud, heavier counterpart machine learning models analyze the metadata and uses additional signals like file age, prevalence, and other such information to determine whether the script should be blocked or not. These pairs of AMSI-powered machine learning classifiers, one pair for each scripting engine, allow Microsoft Defender ATP to detect malicious behavior and stop post-exploitation techniques and other script-based attacks, even after they have started running. In this blog, we’ll discuss examples of Active Directory attacks, including fileless threats, foiled by AMSI machine learning.[/I]" [SPOILER] [IMG alt="Diagram showing pairs of machine learning models on the endpoint and in the cloud using AMSI to detect malicious scripts"]https://www.microsoft.com/security/blog/wp-content/uploads/2020/08/fig1-pair-of-AMSI-machine-learning-models.png[/IMG] [I]Figure 1. Pair of AMSI machine learning models on the client and in the cloud[/I] [/SPOILER] .... "[I]To ensure continued high-quality detection of threats, the AMSI machine learning models are trained per scripting engine using real-time protection data and threat investigations. Featurization is key to machine learning models making intelligent decisions about whether content is malicious or benign. For behavior-based script logs, we extract the set of libraries, COM object, and function names used by the script. Learning the most important features within the script content is performed through a combination of character ngramming the script or behavior log, followed by semi-asynchronous stochastic dual coordinate ascent (SA-SDCA) algorithm with L1 regularization feature trimming to learn and deploy the most important character ngram features. On top of the same features used to train the client models, other complex features used to train the cloud modes include fuzzy hashes, cluster hashes, partial hashes, and more. In addition, the cloud models have access to other information like age, prevalence, global file information, reputation and others, which allow cloud models to make more accurate decisions for blocking.[/I]" "[I]On endpoints, [URL='https://www.microsoft.com/WindowsForBusiness/windows-atp']Microsoft Defender ATP[/URL] uses multiple next-generation protection engines that detect a wide range of threats. One of these engines uses insights from AMSI and pairs of machine learning models on the client and in the cloud working together to detect and stop malicious scripts post-execution. These pairs of AMSI models, one pair for each scripting engine, are part of the behavior-based blocking and containment capabilities in Microsoft Defender ATP, which are designed to detect and stop threats even after they have started running. When running, threats are exposed and can’t hide behind encryption or obfuscation. This adds another layer of protection for instances where sophisticated threats are able to slip through pre-execution defenses.[/I]" [URL unfurl="true"]https://www.microsoft.com/security/blog/2020/08/27/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning/[/URL] Edit. Interesting article about AMSI-based detections (a lot of articles in the bibliography). [/QUOTE]
Insert quotes…
Verification
Post reply
Top