Potential AMSI Bypass Using NULL Bits
Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
Sigma rule (View on GitHub)
1title: Potential AMSI Bypass Using NULL Bits
2id: 92a974db-ab84-457f-9ec0-55db83d7a825
3related:
4 - id: fa2559c8-1197-471d-9cdd-05a0273d4522
5 type: similar
6status: test
7description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
8references:
9 - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023/01/04
12modified: 2023/05/09
13tags:
14 - attack.defense_evasion
15 - attack.t1562.001
16logsource:
17 product: windows
18 category: process_creation
19detection:
20 selection:
21 CommandLine|contains:
22 - "if(0){{{0}}}' -f $(0 -as [char]) +"
23 - "#<NULL>"
24 condition: selection
25falsepositives:
26 - Unknown
27level: medium
References
-
collection of articles/books about programing. Contribute to r00t-3xp10it/hacking-material-books development by creating an account on GitHub.
Read More
Related rules
- Potential AMSI Bypass Script Using NULL Bits
- Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
- Add SafeBoot Keys Via Reg Utility
- Sysmon Driver Altitude Change
- Windows Defender Service Disabled - Registry