Potential Antimalware Scan Interface Bypass via PowerShell

  1[metadata]
  2creation_date = "2023/01/17"
  3integration = ["windows"]
  4maturity = "production"
  5updated_date = "2026/01/26"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects PowerShell scripts that references Antimalware Scan Interface (AMSI) bypass classes, methods, or known bypass
 11strings. Attackers attempt AMSI bypass to disable scanning and run malicious PowerShell content undetected.
 12"""
 13from = "now-9m"
 14index = ["winlogbeat-*", "logs-windows.powershell*"]
 15language = "kuery"
 16license = "Elastic License v2"
 17name = "Potential Antimalware Scan Interface Bypass via PowerShell"
 18note = """## Triage and analysis
 19
 20> **Disclaimer**:
 21> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 22
 23### Investigating Potential Antimalware Scan Interface Bypass via PowerShell
 24
 25This rule detects PowerShell script block content that references Antimalware Scan Interface (AMSI) bypass techniques. This behavior is commonly used to impair PowerShell content scanning and is frequently a precursor to additional PowerShell activity that would otherwise be inspected.
 26
 27#### Key alert fields to review
 28
 29- `user.name`, `user.domain`, `user.id`: Account execution context for correlation, prioritization, and scoping.
 30- `host.name`, `host.id`: Host execution context for correlation, prioritization, and scoping.
 31- `powershell.file.script_block_text`: Script block content that matched the detection logic.
 32- `powershell.file.script_block_id`, `powershell.sequence`, `powershell.total`: Script block metadata to pivot to other fragments or reconstruct full script content when split across multiple events.
 33- `file.path`, `file.directory`, `file.name`: File-origin context when the script block is sourced from an on-disk file.
 34- `powershell.file.script_block_length`: Script block length (size) context.
 35
 36#### Possible investigation steps
 37
 38- Validate the intent of the script block:
 39  - Review `powershell.file.script_block_text` and identify which AMSI-related indicators are present (for example, `System.Management.Automation.AmsiUtils`, `amsiInitFailed`, `amsiContext`, `amsiSession`, `AmsiInitialize`, `amsi.dll`).
 40  - Identify bypass techniques suggested by the script content, such as reflection-based field modification (for example, `Assembly.GetType(` and `.SetValue(`) or in-memory modification patterns (for example, `AllocHGlobal`).
 41  - Note explicit bypass helper names in the script text (for example, `Invoke-AmsiBypass`, `Bypass.AMSI`, `FindAmsiFun`, `unloadobfuscated`, `unloadsilent`) and any obfuscation (mixed casing, character-code string construction, normalization, or heavy use of `-replace`).
 42  - Treat this alert as an AMSI bypass attempt; success is not typically confirmed from the matching script block alone, so prioritize follow-on activity review.
 43- Reconstruct the complete script when content is split across multiple events:
 44  - Pivot on `powershell.file.script_block_id` and collect all related fragments.
 45  - Order fragments by `powershell.sequence` and confirm the expected count with `powershell.total`.
 46  - Re-review the reconstructed text for additional behaviors beyond the bypass attempt (for example, retrieving additional content, decoding staged data, or invoking suspicious functions).
 47- Determine the likely source of the script content:
 48  - Review `file.path` and `file.name` when present to identify an on-disk script source.
 49  - Assess whether the path and filename align with established administrative tooling for the user/host, or whether it appears in an unexpected or transient location (for example, user profile, Temp, Downloads, or other user-writable locations).
 50  - If `file.path` is not present, treat the source as unknown and prioritize correlation with other telemetry based on `host.name` and `@timestamp`.
 51- Establish the execution scope and operator context:
 52  - Review `user.name`, `user.domain`, and `user.id` to understand which account generated the script block content and whether it is expected to run PowerShell on `host.name`.
 53  - Review `host.name` and `host.id` to determine whether the activity is isolated to a single endpoint or recurring across multiple systems.
 54  - Identify repeated alerts involving the same `user.id` and/or `host.id` in a short period, which may indicate iterative testing of bypass variants or repeated execution of the same script.
 55- Hunt for related PowerShell activity on the same endpoint and account:
 56  - Search for additional script blocks on the same `host.id` around `@timestamp` to identify activity immediately before and after the bypass attempt.
 57  - Use distinctive strings from `powershell.file.script_block_text` (function names, variable names, or unique encodings) to identify reuse by the same `user.id` or across other hosts.
 58  - Extract any observable indicators embedded in the script text (for example, domains, IPs, URLs, or file paths) and use them to expand scoping searches.
 59- Correlate with adjacent telemetry using `host.name`, `user.name`, and the alert time window (if available in your environment):
 60  - Process execution telemetry to identify how PowerShell was launched and the initiating parent process (interactive use vs. another application or automation).
 61  - Network telemetry for outbound connections and DNS activity that align with any remote retrieval or command-and-control behavior implied by the script content.
 62  - File and registry telemetry for artifacts consistent with payload staging or persistence created shortly after the bypass attempt.
 63  - Authentication telemetry to identify unusual or new logon activity for the implicated user on the affected host near the alert time.
 64
 65### False positive analysis
 66
 67- Training material or code snippets may be executed verbatim in a console during learning exercises. Confirm the context in `powershell.file.script_block_text` and whether additional suspicious behaviors appear in nearby script blocks from the same user and host.
 68
 69### Response and remediation
 70
 71- If the activity is confirmed or strongly suspected to be malicious:
 72  - Contain the affected host to prevent further execution and lateral movement.
 73  - Preserve evidence from the alert: `powershell.file.script_block_text`, `powershell.file.script_block_id`, `powershell.sequence`, `powershell.total`, `host.name`, `host.id`, `user.name`, `user.domain`, `user.id`, and any associated `file.path`/`file.name`.
 74  - If `file.path` is present, collect the referenced script from disk (if still available) and identify where else it exists in the environment.
 75  - Scope for additional impacted systems by searching for the same bypass strings and distinctive patterns across other hosts and users.
 76  - Investigate and remediate follow-on actions identified in the reconstructed script and adjacent script blocks (for example, retrieval of additional code, credential access attempts, or persistence).
 77  - Reset credentials for involved accounts when warranted and review for further suspicious activity tied to `user.id` across the environment.
 78- Reduce the likelihood of recurrence:
 79  - Ensure PowerShell logging is appropriately enabled and centrally collected to support reconstruction and scoping.
 80  - Apply least privilege and limit PowerShell usage to approved roles and systems where feasible.
 81  - Review monitoring coverage for repeated AMSI bypass attempts and related PowerShell activity on the same host or by the same user.
 82"""
 83references = ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"]
 84risk_score = 73
 85rule_id = "1f0a69c0-3392-4adf-b7d5-6012fd292da8"
 86setup = """## Setup
 87
 88PowerShell Script Block Logging must be enabled to generate the events used by this rule (e.g., 4104).
 89Setup instructions: https://ela.st/powershell-logging-setup
 90"""
 91severity = "high"
 92tags = [
 93    "Domain: Endpoint",
 94    "OS: Windows",
 95    "Use Case: Threat Detection",
 96    "Tactic: Defense Evasion",
 97    "Data Source: PowerShell Logs",
 98    "Resources: Investigation Guide",
 99]
100timestamp_override = "event.ingested"
101type = "query"
102
103query = '''
104event.category:"process" and host.os.type:windows and
105  (
106    powershell.file.script_block_text : (
107      "System.Management.Automation.AmsiUtils" or
108			amsiInitFailed or 
109			"Invoke-AmsiBypass" or 
110			"Bypass.AMSI" or 
111			"amsi.dll" or 
112			AntimalwareProvider  or 
113			amsiSession or 
114			amsiContext or
115			AmsiInitialize or 
116			unloadobfuscated or 
117			unloadsilent or 
118			AmsiX64 or 
119			AmsiX32 or 
120			FindAmsiFun or
121		    "AllocHGlobal((9076" or
122		    "[cHAr](65)+[cHaR]([byTe]0x6d)+[ChaR]([ByTe]0x73)+[CHaR]([BYte]0x69"
123    ) or
124    powershell.file.script_block_text:("[Ref].Assembly.GetType(('System.Management.Automation" and ".SetValue(") or
125    powershell.file.script_block_text:("::AllocHGlobal((" and ".SetValue(" and "-replace" and ".NoRMALiZe(")
126  ) and
127  not powershell.file.script_block_text : (
128    "sentinelbreakpoints" and "Set-PSBreakpoint"
129  )
130'''
131
132
133[[rule.threat]]
134framework = "MITRE ATT&CK"
135[[rule.threat.technique]]
136id = "T1562"
137name = "Impair Defenses"
138reference = "https://attack.mitre.org/techniques/T1562/"
139[[rule.threat.technique.subtechnique]]
140id = "T1562.001"
141name = "Disable or Modify Tools"
142reference = "https://attack.mitre.org/techniques/T1562/001/"
143
144
145
146[rule.threat.tactic]
147id = "TA0005"
148name = "Defense Evasion"
149reference = "https://attack.mitre.org/tactics/TA0005/"
150[[rule.threat]]
151framework = "MITRE ATT&CK"
152[[rule.threat.technique]]
153id = "T1059"
154name = "Command and Scripting Interpreter"
155reference = "https://attack.mitre.org/techniques/T1059/"
156[[rule.threat.technique.subtechnique]]
157id = "T1059.001"
158name = "PowerShell"
159reference = "https://attack.mitre.org/techniques/T1059/001/"
160
161
162
163[rule.threat.tactic]
164id = "TA0002"
165name = "Execution"
166reference = "https://attack.mitre.org/tactics/TA0002/"
167
168[rule.investigation_fields]
169field_names = [
170    "@timestamp",
171    "user.name",
172    "user.id",
173    "user.domain",
174    "powershell.file.script_block_text",
175    "powershell.file.script_block_id",
176    "powershell.sequence",
177    "powershell.total",
178    "file.path",
179    "file.directory",
180    "file.name",
181    "process.pid",
182    "host.name",
183    "host.id",
184    "powershell.file.script_block_length"
185]