PowerShell AMSI Bypass Pattern
Detects attempts to disable AMSI in the commandline. It is possible to bypass AMSI by disabling it before loading the main payload.
Sigma rule (View on GitHub)
1title: PowerShell AMSI Bypass Pattern
2status: experimental
3description: Detects attempts to disable AMSI in the commandline. It is possible to bypass AMSI by disabling it before loading the main payload.
4author: '@Kostastsale'
5references:
6 - https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
7date: 2022/11/04
8tags:
9 - attack.defense_evasion
10 - attack.t1562.001
11 - attack.execution
12logsource:
13 product: windows
14 category: process_creation
15detection:
16 selection1:
17 Image|endswith:
18 - '\powershell.exe'
19 - '\pwsh.exe'
20 - '\powershell_ise.exe'
21 CommandLine|contains|all:
22 - '[Ref].Assembly.GetType'
23 - 'SetValue($null,$true)'
24 - 'NonPublic,Static'
25 condition: selection1
26falsepositives:
27 - Unknown
28level: high
References
Related rules
- Using powershell specific download cradle OneLiner
- CMSTP Execution Process Creation
- Indirect Command Execution By Program Compatibility Wizard
- CMSTP Execution Registry Event
- Disable Security Events Logging Adding Reg Key MiniNt