• The abbreviation AMSI stands for Anti-Malware Scan Interface. Microsoft developed this technology as a method of protecting users from malware and first introduced it in Windows 10. AMSI intercepts scripts and commands in real time, after which it is sent to antivirus software for scanning.
Here is a list of components that implement AMSI in Windows 10:
User Account Control or UAC (elevation of the rights to install EXE, COM, MSI or ActiveX);
• #PowerShell (scripts, interactive use and dynamic code evaluation);
• Windows Script Host (wscript.exe and cscript.exe);
• JavaScript and VBScript;
• VBA macros.
• Keep in mind that AMSI is the subject of much research, and the ability to bypass AMSI can be the deciding factor between a successful and unsuccessful attack. You can find more detailed information about how AMSI works in the public domain. The topic is extremely popular and finding information is not difficult. Well, today we will talk about several methods that will help bypass AMSI:
• The point is that AMSI mechanisms use signature-based threat detection. Thanks to this, we can come up with different tactics and techniques. Some well-known methods will no longer work, but using code modification, obfuscation and cryptography, you can achieve interesting results.
1. We use Function hooking – a method that allows us to get control over a function before it is called. We overwrite the arguments that the AmsiScanBuffer() (or AmsiScanString()) function will pass for verification. Let’s move on to the dll injection, which will accept AmsiScanBuffer() and pass other data for verification. AmsiHook.dll will help us with this. More information about this method can be found here: https://x64sec.sh/understanding-and-bypassing-amsi/
2. PowerShell downgrade – #PowerShell 2.0 is outdated, but Microsoft is in no hurry to remove it from their OS. Version 2.0 does not have such protection mechanisms as AMSI, so sometimes it is enough to use the powershell -version 2 command to bypass the detection.
https://www.leeholmes.com/detecting-and-preventing-powershell-downgrade-attacks/
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md
3. Memory patching – patch AmsiScanBuffer () so that the value “Check passed successfully” is always returned. Required tools:
https://github.com/med0x2e/NoAmci
https://github.com/rasta-mouse/AmsiScanBufferBypass
https://gist.github.com/FatRodzianko/c8a76537b5a87b850c7d158728717998
https://gist.github.com/am0nsec/986db36000d82b39c73218facc557628
https://gist.github.com/am0nsec/854a6662f9df165789c8ed2b556e9597
In addition, read the material on damage: https://xss.is/threads/30227/