Potential AMSI Bypass Script Using NULL Bits
Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
Sigma rule (View on GitHub)
1title: Potential AMSI Bypass Script Using NULL Bits
2id: fa2559c8-1197-471d-9cdd-05a0273d4522
3related:
4 - id: 92a974db-ab84-457f-9ec0-55db83d7a825
5 type: similar
6status: test
7description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
8references:
9 - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-01-04
12modified: 2023-05-09
13tags:
14 - attack.defense-evasion
15 - attack.t1562.001
16logsource:
17 product: windows
18 category: ps_script
19 definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21 selection:
22 ScriptBlockText|contains:
23 - "if(0){{{0}}}' -f $(0 -as [char]) +"
24 - "#<NULL>"
25 condition: selection
26falsepositives:
27 - Unknown
28level: medium
References
Related rules
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder
- AWS GuardDuty Important Change
- Add SafeBoot Keys Via Reg Utility