You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/amsi-on-mdav.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -47,7 +47,7 @@ Because memory is volatile, and fileless malware doesn't place files on disk, es
47
47
48
48
Attackers use several fileless techniques that can make malware implants stealthy and evasive. These techniques include:
49
49
50
-
-**Reflective DLL injection**: Reflective DLL injection involves the manual loading of malicious DLLs into a process memory without the need for said DLLs to be on disk. The malicious DLL can be hosted on a remote attacker-controlled machine and delivered through a staged network channel (for example, Transport Layer Security (TLS) protocol), or embedded in obfuscated form inside infection vectors, like macros and scripts. This configuration results in the evasion of the OS mechanism that monitors and keeps track of loading executable modules. An example of malware that uses Reflective DLL injection is HackTool:Win32/Mikatz!dha.
50
+
-**Reflective DLL injection**: Reflective DLL injection involves the manual loading of malicious DLLs into a process memory without the need for said DLLs to be on disk. The malicious DLL can be hosted on a remote attacker-controlled machine and delivered through a staged network channel (for example, Transport Layer Security (TLS) protocol), or embedded in obfuscated form inside infection vectors, like macros and scripts. This configuration results in the evasion of the OS mechanism that monitors and keeps track of loading executable modules. An example of malware that uses Reflective DLL injection is `HackTool:Win32/Mikatz!dha`.
51
51
52
52
-**Memory exploits**: Adversaries use fileless memory exploits to run arbitrary code remotely on victim machines. For example, the UIWIX threat uses the EternalBlue exploit, which was used by both Petya and WannaCry, to install the DoublePulsar backdoor, and lives entirely in the kernel's memory (SMB Dispatch Table). Unlike Petya and Wannacry, UIWIX doesn't drop any files on disk.
53
53
@@ -81,15 +81,15 @@ AMSI provides a deeper level of inspection for malicious software that employs o
81
81
- .NET Framework 4.8 or newer (scanning of all assemblies)
82
82
- Windows Management Instrumentation (WMI)
83
83
84
-
If you use Microsoft Office 365, AMSI also supports JavaScript, VBA, and XLM.
84
+
If you use Microsoft 365 Apps, AMSI also supports JavaScript, VBA, and XLM.
85
85
86
86
AMSI doesn't currently support Python or Perl.
87
87
88
88
### Enabling AMSI
89
89
90
-
To enable AMSI, you need to enable Script scanning. See [Configure scanning options for Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md)
90
+
To enable AMSI, you need to enable script scanning. See [Configure scanning options for Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md).
91
91
92
-
Also see [Defender Policy CSP - Windows Client Management](/windows/client-management/mdm/policy-csp-defender)
92
+
Also see [Defender Policy CSP - Windows Client Management](/windows/client-management/mdm/policy-csp-defender).
0 commit comments