Anti-AMSI techniques
1. Anti-Malware Scan Interface (AMSI)
AMSI is a runtime detection measure delivered natively with Windows. It's only an interface for other anti-malware products. For example, it's used by Windows Defender to perform script instrumentation before actual execution in the runtime (e.g. .NET for PowerShell). If a signature in the script is registered by the AMSI anti-malware service provider (Windows Defender by default), it will be blocked. AMSI is fully integrated with the following technologies:
- PowerShell
- Windows Script Host (WSH)
- JScript and VBScript
- Office VBA macros
Using this technologies in a malicious way, we need to be aware of the AMSI presence. It can simply block the execution.
2. AMSI Bypassing
Most of the techniques need an additional layer of obfuscation to work properly.
2.1. PowerShell downgrade
By manually downgrading the PowerShell version to 2.0, we can bypass security features. They were not present until version 5.0.
NOTE: In well secured environments the possibility of changing PS version would be likely disabled.
2.2. PowerShell reflection
TBD
2.3. In-memory amsi.dll patching
TBD