All notes

Anti-AMSI techniques

1. Anti-Malware Scan Interface (AMSI)

AMSI is a runtime detection measure delivered natively with Windows. It's only an interface for other anti-malware products. For example, it's used by Windows Defender to perform script instrumentation before actual execution in the runtime (e.g. .NET for PowerShell). If a signature in the script is registered by the AMSI anti-malware service provider (Windows Defender by default), it will be blocked. AMSI is fully integrated with the following technologies:

  • PowerShell
  • Windows Script Host (WSH)
  • JScript and VBScript
  • Office VBA macros

Using this technologies in a malicious way, we need to be aware of the AMSI presence. It can simply block the execution.

2. AMSI Bypassing

Most of the techniques need an additional layer of obfuscation to work properly.

2.1. PowerShell downgrade

By manually downgrading the PowerShell version to 2.0, we can bypass security features. They were not present until version 5.0.

PowerShell -Version 2

NOTE: In well secured environments the possibility of changing PS version would be likely disabled.

2.2. PowerShell reflection

TBD

2.3. In-memory amsi.dll patching

TBD