{"id":36821,"date":"2020-08-27T16:00:27","date_gmt":"2020-08-27T16:00:27","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=91772"},"modified":"2020-08-27T16:00:27","modified_gmt":"2020-08-27T16:00:27","slug":"stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning\/","title":{"rendered":"Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning"},"content":{"rendered":"

When attackers successfully breach a target network, their typical next step is to perform reconnaissance of the network, elevate their privileges, and move laterally to reach specific machines or spread as widely as possible. For these activities, attackers often probe the affected network\u2019s Active Directory, which manages domain authentication and permissions for resources. Attackers take advantage of users\u2019 ability to enumerate and interact with the Active Directory for reconnaissance, which allows lateral movement and privilege escalation. This is a common attack stage in human-operated ransomware campaigns<\/a> like Ryuk.<\/p>\n

These post-exploitation activities largely rely on scripting engines like PowerShell and WMI because scripts provide attackers flexibility and enable them to blend into the normal hum of enterprise endpoint activity. Scripts are lightweight, can be disguised and obfuscated relatively easily, and can be run fileless by loading them directly in memory through command-line or interacting with scripting engines in memory.<\/p>\n

Antimalware Scan Interface (AMSI)<\/a> helps security software to detect such malicious scripts by exposing script content and behavior. AMSI integrates with scripting engines on Windows 10 as well as Office 365 VBA<\/a> to provide insights into the execution of PowerShell, WMI, VBScript, JavaScript, and Office VBA macros. Behavioral blocking and containment capabilities<\/a> in Microsoft Defender Advanced Threat Protection (ATP)<\/a> take full advantage of AMSI\u2019s visibility into scripts and harness the power of machine learning and cloud-delivered protection to detect and stop malicious behavior. In the broader delivery of coordinated defense, the AMSI-driven detection of malicious scripts on endpoints helps Microsoft Threat Protection<\/a>, which combines signals from Microsoft Defender ATP and other solutions in the Microsoft 365 security portfolio, to detect cross-domain attack chains<\/a>.<\/p>\n

On endpoints, performance-optimized machine learning models inspect script content and behavior through AMSI. When scripts run and malicious or suspicious behavior is detected, features are extracted from the content, including expert features, features selected by machine learning, and fuzzy hashes. The lightweight client machine learning models make inferences on the content. If the content is classified as suspicious, the feature description is sent to the cloud for full real-time classification. In the cloud, heavier counterpart machine learning models analyze the metadata and uses additional signals like file age, prevalence, and other such information to determine whether the script should be blocked or not.<\/p>\n

These pairs of AMSI-powered machine learning classifiers, one pair for each scripting engine, allow Microsoft Defender ATP to detect malicious behavior and stop post-exploitation techniques and other script-based attacks, even after they have started running. In this blog, we\u2019ll discuss examples of Active Directory attacks, including fileless threats, foiled by AMSI machine learning.<\/p>\n

\"Diagram<\/p>\n

Figure 1. Pair of AMSI machine learning models on the client and in the cloud<\/em><\/p>\n

Blocking BloodHound attacks<\/h2>\n

BloodHound is a popular open-source tool for enumerating and visualizing the domain Active Directory and is used by red teams and attackers as a post-exploitation tool. The enumeration allows a graph of domain devices, users actively signed into devices, and resources along with all their permissions. Attackers can discover and abuse weak permission configurations for privilege escalation by taking over other user accounts<\/a> or adding themselves to groups with high privileges, or for planning their lateral movement path to their target privileges. Attackers, including those behind human-operated ransomware<\/a> campaigns such as Ryuk, use BloodHound as part of their attacks.<\/p>\n

To work, BloodHound uses a component called SharpHound<\/a> to enumerate the domain and collect various categories of data: local admin collection, group membership collection, session collection, object property collection, ACL collection, and trust collection. This enumeration would typically then be exfiltrated to be visualized and analysed by the attacker as part of planning their next steps. SharpHound performs the domain enumeration and is officially published as a fileless PowerShell in-memory version<\/a>, as well as a file-based executable tool version. It is critical to identify the PowerShell fileless variant enumeration if it is active on a network.<\/p>\n

\"Code<\/p>\n

Figure 2. SharpHound ingestor code snippets<\/em><\/p>\n

When the SharpHound fileless PowerShell ingestor is run in memory, whether by a pen tester or an attacker, AMSI sees its execution buffer. The machine learning model on the client featurizes this buffer and sends it to the cloud for final classification.<\/p>\n

\"Code<\/p>\n

Figure 3. Sample featurized SharpHound ingestor code<\/em><\/p>\n

The counterpart machine learning model in the cloud analyzes the metadata, integrates other signals, and returns a verdict. Malicious scripts are detected and stopped on endpoints in real time:<\/p>\n

\"Screenshot<\/p>\n

Figure 4. Microsoft Defender Antivirus detection of SharpHound<\/em><\/p>\n

Detections are reported in Microsoft Defender Security Center, where SOC analysts can use Microsoft Defender ATP\u2019s rich set of tools to investigate and respond to attacks:<\/p>\n

\"Screenshot<\/p>\n

Figure 5. Microsoft Defender Security Center alert showing detection of SharpHound<\/em><\/p>\n

This protection is provided by AI that has learned to identify and block these attacks automatically, and that will continue to adapt and learn new attack methods we observe.<\/p>\n

Stopping Kerberoasting<\/h2>\n

Kerberoasting, like BloodHound attacks, is a technique for stealing credentials used by both red teams and attackers. Kerberoasting attacks abuse the Kerberos Ticket Granting Service (TGS) to gain access to accounts, typically targeting domain accounts for lateral movement.<\/p>\n

Kerberoasting attacks involve scanning an Active Directory environment to generate a list of user accounts that have Kerberos Service Principal Name (SPN). Attackers then request these SPN to grant Kerberos Service Tickets to these accounts. The tickets are dumped from memory using various tools like Mimikatz and then exfiltrated for offline brute forcing on the encrypted segment of the tickets. If successful, attackers can identify the passwords associated with the accounts, which they then use to remotely sign into machines or access resources.<\/p>\n

All the Kerberoasing attack steps leading to the hash extraction can be accomplished using a single PowerShell (Invoke-Kerberoast.ps1<\/em>), and has been integrated into popular post-exploitation frameworks like PowerSploit<\/a> and PowerShell Empire<\/a>:<\/p>\n

<\/p>\n

Figure 6. Single command line to download and execute Kerberoasting to extract user password hashes<\/em><\/p>\n

\"Code<\/p>\n

Figure 7. Kerberoasting code <\/em><\/p>\n

Because AMSI has visibility into PowerShell scripts, when the Invoke-Kerberoast.ps1 <\/em>is run, AMSI allows for inspection of the PowerShell content during runtime. This buffer is featurized and analyzed by client-side machine learning models, and sent to the cloud for real-time ML classification.<\/p>\n

\"Code<\/p>\n

Figure 8. Sample featurized Kerberoasting code <\/em><\/p>\n

Microsoft Defender ATP raises an alert for the detection of Invoke-Kerberoast.ps1<\/em>:<\/p>\n

<\/p>\n

Figure 9. Microsoft Defender Security Center alert showing detection of <\/em>Invoke-Kerberoast.ps1<\/em><\/p>\n

Training the machine learning models<\/h2>\n

To ensure continued high-quality detection of threats, the AMSI machine learning models are trained per scripting engine using real-time protection data and threat investigations.<\/p>\n

Featurization is key to machine learning models making intelligent decisions about whether content is malicious or benign. For behavior-based script logs, we extract the set of libraries, COM object, and function names used by the script. Learning the most important features within the script content is performed through a combination of character ngramming the script or behavior log, followed by semi-asynchronous stochastic dual coordinate ascent (SA-SDCA) algorithm with L1 regularization feature trimming to learn and deploy the most important character ngram features.<\/p>\n

On top of the same features used to train the client models, other complex features used to train the cloud modes include fuzzy hashes, cluster hashes, partial hashes, and more. In addition, the cloud models have access to other information like age, prevalence, global file information, reputation and others, which allow cloud models to make more accurate decisions for blocking.<\/p>\n

Conclusion: Broad visibility informs AI-driven protections<\/h2>\n

Across Microsoft, AI and machine learning protection technologies use Microsoft\u2019s broad visibility into various surfaces to identify new and unknown threats. Microsoft Threat Protection<\/a> uses these machine learning-driven protections to detect threats across endpoints, email and data, identities, and apps.<\/p>\n

On endpoints, Microsoft Defender ATP<\/a> uses multiple next-generation protection engines that detect a wide range of threats. One of these engines uses insights from AMSI and pairs of machine learning models on the client and in the cloud working together to detect and stop malicious scripts post-execution.<\/p>\n

These pairs of AMSI models, one pair for each scripting engine, are part of the behavior-based blocking and containment capabilities in Microsoft Defender ATP, which are designed to detect and stop threats even after they have started running. When running, threats are exposed and can\u2019t hide behind encryption or obfuscation. This adds another layer of protection for instances where sophisticated threats are able to slip through pre-execution defenses.<\/p>\n

\"Diagram<\/p>\n

Figure 10. Microsoft Defender ATP next-generation protection engines<\/em><\/p>\n

In this blog post, we showed how these AMSI-driven behavior-based machine learning protections are critical in detecting and stopping post-exploitation activities like BloodHound-based and Kerberoasting attacks, which employ evasive malicious scripts, including fileless components. With AMSI, script content and behavior are exposed, allowing Microsoft Defender ATP to foil reconnaissance activities and prevent attacks from progressing.<\/p>\n

To learn more about behavior-based blocking and containment, read the following blog posts:<\/p>\n

Ankit Garg and Geoff McDonald<\/em><\/strong><\/p>\n

Microsoft Defender ATP Research Team<\/em><\/p>\n

READ MORE HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Microsoft Defender ATP leverages AMSI\u2019s visibility into scripts and harnesses the power of machine learning to detect and stop post-exploitation activities that largely rely on scripts.
\nThe post Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning appeared first on Microsoft Security. READ MORE HERE…<\/p>\n","protected":false},"author":2,"featured_media":36822,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[8880,3397,8026,8881,347,6419,8882,351,7220,6717,7221,8883,6578],"class_list":["post-36821","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-secure","tag-active-directory-attacks","tag-antimalware-scan-interface-amsi","tag-behavioral-blocking-and-containment","tag-bloodhound","tag-cybersecurity","tag-endpoint-security","tag-kerberoasting","tag-machine-learning","tag-microsoft-defender-advanced-threat-protection","tag-microsoft-defender-atp","tag-microsoft-security-intelligence","tag-post-exploitation","tag-threat-protection"],"yoast_head":"\nStopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2020-08-27T16:00:27+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/08\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1065\" \/>\n\t<meta property=\"og:image:height\" content=\"1101\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning\",\"datePublished\":\"2020-08-27T16:00:27+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning\\\/\"},\"wordCount\":1472,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning.png\",\"keywords\":[\"Active Directory attacks\",\"Antimalware Scan Interface (AMSI)\",\"behavioral blocking and containment\",\"BloodHound\",\"Cybersecurity\",\"Endpoint security\",\"Kerberoasting\",\"machine learning\",\"Microsoft Defender Advanced Threat Protection\",\"Microsoft Defender ATP\",\"Microsoft security intelligence\",\"post-exploitation\",\"Threat protection\"],\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning\\\/\",\"name\":\"Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning.png\",\"datePublished\":\"2020-08-27T16:00:27+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning.png\",\"width\":1065,\"height\":1101},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Active Directory attacks\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/active-directory-attacks\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning\/","og_locale":"en_US","og_type":"article","og_title":"Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2020-08-27T16:00:27+00:00","og_image":[{"width":1065,"height":1101,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/08\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning.png","type":"image\/png"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning","datePublished":"2020-08-27T16:00:27+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning\/"},"wordCount":1472,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/08\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning.png","keywords":["Active Directory attacks","Antimalware Scan Interface (AMSI)","behavioral blocking and containment","BloodHound","Cybersecurity","Endpoint security","Kerberoasting","machine learning","Microsoft Defender Advanced Threat Protection","Microsoft Defender ATP","Microsoft security intelligence","post-exploitation","Threat protection"],"articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning\/","url":"https:\/\/www.threatshub.org\/blog\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning\/","name":"Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/08\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning.png","datePublished":"2020-08-27T16:00:27+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/08\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/08\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning.png","width":1065,"height":1101},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/stopping-active-directory-attacks-and-other-post-exploitation-behavior-with-amsi-and-machine-learning\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Active Directory attacks","item":"https:\/\/www.threatshub.org\/blog\/tag\/active-directory-attacks\/"},{"@type":"ListItem","position":3,"name":"Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/36821","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=36821"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/36821\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/36822"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=36821"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=36821"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=36821"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}