Potential AMSI Bypass Script Using NULL Bits

Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities

Sigma rule (View on GitHub)

 1title: Potential AMSI Bypass Script Using NULL Bits
 2id: fa2559c8-1197-471d-9cdd-05a0273d4522
 3related:
 4    - id: 92a974db-ab84-457f-9ec0-55db83d7a825
 5      type: similar
 6status: test
 7description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
 8references:
 9    - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-01-04
12modified: 2023-05-09
13tags:
14    - attack.defense-evasion
15    - attack.t1562.001
16logsource:
17    product: windows
18    category: ps_script
19    definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21    selection:
22        ScriptBlockText|contains:
23            - "if(0){{{0}}}' -f $(0 -as [char]) +"
24            - "#<NULL>"
25    condition: selection
26falsepositives:
27    - Unknown
28level: medium

References

Related rules

to-top