Potential AMSI Bypass Via .NET Reflection
Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning
Sigma rule (View on GitHub)
1title: Potential AMSI Bypass Via .NET Reflection
2id: 30edb182-aa75-42c0-b0a9-e998bb29067c
3related:
4 - id: 4f927692-68b5-4267-871b-073c45f4f6fe
5 type: obsolete
6status: test
7description: Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning
8references:
9 - https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/
10 - https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
11author: Markus Neis, @Kostastsale
12date: 2018-08-17
13modified: 2023-02-03
14tags:
15 - attack.defense-evasion
16 - attack.t1562.001
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 - CommandLine|contains|all:
23 - 'System.Management.Automation.AmsiUtils'
24 - 'amsiInitFailed'
25 - CommandLine|contains|all:
26 - '[Ref].Assembly.GetType'
27 - 'SetValue($null,$true)'
28 - 'NonPublic,Static'
29 condition: selection
30falsepositives:
31 - Unlikely
32level: high
References
-
This is my very first blog post. Its about how to manually change AMSI signatures/triggers to bypass it.
Read More -
By now, many of us know that during an engagement, AMSI (Antimalware Scripting Interface) can be used to trip up PowerShell scripts in an operators arsenal. Attempt to IEX Invoke-Mimikatz...
Read More
Related rules
- Antivirus Filter Driver Disallowed On Dev Drive - Registry
- Python Function Execution Security Warning Disabled In Excel - Registry
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder