AMSI
The Anti Malware Scan Interface (AMSI) was introduced and integrated with Windows 10. When using the default Windows Defender Antivirus (WDAV), all PowerShell and VBScript scripts are sent through the detection mechanism of WDAV to validate if a script contains malware:
Reference:Â https://cloudblogs.microsoft.com/microsoftsecure/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/.
This also works for dynamically executed scripts, as they will be sent to AMSI before being executed. This would look as follows:
On top of this functionality, AMSI has also been packed with the capability to validate if scripts are obfuscated or not. Windows 10 1709 brought a security feature called Exploit Guard. One of its mechanisms is to define policies for blocking all obfuscated scripts (which, in most cases, makes sense):
Note
Further information on the topic as well as the ExploitGuard demo Tool can be found at the following link:https://docs.microsoft.com/en-us/windows/security...