The Cyber Shafarat – Treadstone 71

We See What Others Cannot

Cyber Security Information Security infosec Malware Operating System

Anti-Malware Scan Interface – #AMSI

ByTreadstone 71

Feb 8, 2022

• The abbreviation AMSI stands for Anti-Malware Scan Interface. Microsoft developed this technology as a method of protecting users from malware and first introduced it in Windows 10. AMSI intercepts scripts and commands in real time, after which it is sent to antivirus software for scanning.

Here is a list of components that implement AMSI in Windows 10:

User Account Control or UAC (elevation of the rights to install EXE, COM, MSI or ActiveX);
• #PowerShell (scripts, interactive use and dynamic code evaluation);
• Windows Script Host (wscript.exe and cscript.exe);
• JavaScript and VBScript;
• VBA macros.

• Keep in mind that AMSI is the subject of much research, and the ability to bypass AMSI can be the deciding factor between a successful and unsuccessful attack. You can find more detailed information about how AMSI works in the public domain. The topic is extremely popular and finding information is not difficult. Well, today we will talk about several methods that will help bypass AMSI:

• The point is that AMSI mechanisms use signature-based threat detection. Thanks to this, we can come up with different tactics and techniques. Some well-known methods will no longer work, but using code modification, obfuscation and cryptography, you can achieve interesting results.

1. We use Function hooking – a method that allows us to get control over a function before it is called. We overwrite the arguments that the AmsiScanBuffer() (or AmsiScanString()) function will pass for verification. Let’s move on to the dll injection, which will accept AmsiScanBuffer() and pass other data for verification. AmsiHook.dll will help us with this. More information about this method can be found here: https://x64sec.sh/understanding-and-bypassing-amsi/

2. PowerShell downgrade – #PowerShell 2.0 is outdated, but Microsoft is in no hurry to remove it from their OS. Version 2.0 does not have such protection mechanisms as AMSI, so sometimes it is enough to use the powershell -version 2 command to bypass the detection.
https://www.leeholmes.com/detecting-and-preventing-powershell-downgrade-attacks/
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md

3. Memory patching – patch AmsiScanBuffer () so that the value “Check passed successfully” is always returned. Required tools:
https://github.com/med0x2e/NoAmci
https://github.com/rasta-mouse/AmsiScanBufferBypass
https://gist.github.com/FatRodzianko/c8a76537b5a87b850c7d158728717998
https://gist.github.com/am0nsec/986db36000d82b39c73218facc557628
https://gist.github.com/am0nsec/854a6662f9df165789c8ed2b556e9597

In addition, read the material on damage: https://xss.is/threads/30227/

By Treadstone 71

@Treadstone71LLC Cognitive Warfare Training, Intelligence and Counterintelligence Tradecraft, Influence Operations, Cyber Operations, OSINT,OPSEC, Darknet, Deepweb, Clandestine Cyber HUMINT, customized training and analysis, cyber psyops, strategic intelligence, Open-Source Intelligence collection, analytic writing, structured analytic techniques, Target Adversary Research, strategic intelligence analysis, estimative intelligence, forecasting intelligence, warning intelligence, Disinformation detection, Analysis as a Service

Related Post

Cognitive War Cognitive Warfare Color Revolutions Cyber Foreign Legion Cyber Intelligence Cyber Intelligence Capability Maturity Model Cyber Intelligence CBK Cyber Intelligence Common Body of Knowledge Cyber Intelligence Lifecycle Cyber Militia Cyber Operations Cyber Psyops Cyber Security Cyber Threat Intelligence Cyber Training Cyber Warfare Gray Zone HUMINT Hybrid Warfare Hybrid Warfare Influence Operations Information Operations Intelligence Analysis Intelligence Estimate Intelligence Training Neuro-Linguistic Program OPSEC OSINT Pattern of Life Psychological Profile Psychological Technique of the Seven Radicals Reporting SIGINT Threat intelligence Tradecraft Treadstone 71 Treadstone 71 Cyber Intelligence Capability Maturity Model Warning Intelligence

Treadstone 71 March Madness #Training #Sale #MarchMadness

Mar 5, 2023 Treadstone 71
botnet cyber attack DDoS hack Information Security

Network Nightmare

Mar 2, 2023 Treadstone 71
#StopPutin #StopRussia Information Security Putin

Job Opening St. Petersburg Head of InfoSec

Feb 14, 2023 Treadstone 71

You missed

GosSOPKA Russia

Brief review of improvement and
development of GosSOPKA

Mar 22, 2023
ALL

Dark Live Linker

Mar 21, 2023
ALL

HudaPar Terror Party – Kromsec hack

Mar 21, 2023
Brainwash China oppression

China Tightens Oppression

Mar 21, 2023