2025-08-04 –, Florentine A
The malicious obfuscation of code from scripting languages, such as PowerShell, Python, and JavaScript, continues to be used as an essential part of threat actors' toolkits. Obfuscation techniques hamper analysts' ability to investigate and respond quickly to compromises by complicating reverse engineering of the original script and pose significant challenges to scanning engines, such as Yara, that rely on byte-based pattern recognition.
Windows' built-in defense mechanisms, notably the built-in Antimalware Scanning Interface (AMSI) DLLs, struggle to detect these obfuscations, allowing for trivial bypasses of the AMSI subsystem via relatively simple obfuscations. AMSI bypass tools and techniques are routinely deployed by obfuscated code as part of their infection chain.
The tree-sitter parsing library opens new avenues for detection and analysis by providing an API that allows developers to interact programatically with a script's syntax tree. This talk will showcase new techniques for rapidly detecting, analyzing, and preventing infections, culminating with the demonstration of a custom AMSI provider DLL that can deobfuscate, block, and log obfuscated PowerShell payloads. These demonstrations will showcase successful, automated detection of AMSI bypass attempts from the r77 rootkit and the nishang offensive PowerShell framework, and payloads obfuscated with Invoke-Obfuscation.
The research in this talk has been developed over the past year and a half, and I presented early iterations of this research at BSides SATX and BSides Austin in 2024. The basic premise behind it is that tree-sitter provides a unified API through which we can parse, query, traverse, and manipulate syntax trees in a plethora of different languages, allowing us to develop new kinds of scanning engines and deobfuscation toolkits. This talk greatly expands upon that research with the inclusion of a from-scratch AMSI provider DLL written in Rust that preprocesses obfuscated PowerShell scripts and can be configured to either block script execution entirely or to pass the deobfuscated results up the chain for further scanning by other providers on the system. This new AMSI provider also implements a custom Event Tracing for Windows (ETW) trace logging provider that logs the deobfuscated contents, allowing threat hunters and incident responders to have an instantaneous look at the deobfuscated script contents that takes script block logging to an entirely new level. This AMSI provider and its associated research has not been discussed or shown at any other conference, and BSidesLV will be the first public demonstration and discussion of it, if the talk were to be accepted.
David McDonald is a researcher and software engineer with 4 years of digital forensics R&D experience. His passion for this field began with his involvement in the University of New Orleans CTF team, as well as through his time as a Systems Programming teaching assistant. After over two years of digital forensics research and development on Cellebrite's computer forensics team, he joined Volexity's Volcano team, where he now works to develop next-generation memory analysis solutions.
He believes deeply in sharing knowledge and helping others discover their abilities and interests through their own journeys in cybersecurity, and strives to pay forward the benefits of the mentorship that has opened so many doors for him.