Potential AMSI Bypass Via .NET Reflection
Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning
Sigma rule (View on GitHub)
1title: Potential AMSI Bypass Via .NET Reflection
2id: 30edb182-aa75-42c0-b0a9-e998bb29067c
3related:
4 - id: 4f927692-68b5-4267-871b-073c45f4f6fe
5 type: obsoletes
6status: test
7description: Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning
8references:
9 - https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/
10 - https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
11author: Markus Neis, @Kostastsale
12date: 2018/08/17
13modified: 2023/02/03
14tags:
15 - attack.defense_evasion
16 - attack.t1562.001
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_1:
22 CommandLine|contains:
23 - 'System.Management.Automation.AmsiUtils'
24 - 'amsiInitFailed'
25 selection_2:
26 CommandLine|contains|all:
27 - '[Ref].Assembly.GetType'
28 - 'SetValue($null,$true)'
29 - 'NonPublic,Static'
30 condition: 1 of selection_*
31falsepositives:
32 - Unlikely
33level: high
References
Related rules
- NetNTLM Downgrade Attack
- Raccine Uninstall
- Powershell MS Defender Tampering - ScriptBlockLogging
- Microsoft Defender Tamper Protection Trigger
- Tampering of Windows Defender with Reg