PowerShell AMSI Bypass Pattern
Detects attempts to disable AMSI in the commandline. It is possible to bypass AMSI by disabling it before loading the main payload.
Sigma rule (View on GitHub)
1title: PowerShell AMSI Bypass Pattern
2id: 4f7f3162-d6e7-48f7-bbf9-2a56eb6a1ff2
3status: experimental
4description: Detects attempts to disable AMSI in the commandline. It is possible to bypass AMSI by disabling it before loading the main payload.
5author: '@Kostastsale'
6references:
7 - https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
8date: 2022/11/04
9tags:
10 - attack.defense_evasion
11 - attack.t1562.001
12 - attack.execution
13logsource:
14 product: windows
15 category: process_creation
16detection:
17 selection1:
18 Image|endswith:
19 - '\powershell.exe'
20 - '\pwsh.exe'
21 - '\powershell_ise.exe'
22 CommandLine|contains|all:
23 - '[Ref].Assembly.GetType'
24 - 'SetValue($null,$true)'
25 - 'NonPublic,Static'
26 condition: selection1
27falsepositives:
28 - Unknown
29level: high
References
-
By now, many of us know that during an engagement, AMSI (Antimalware Scripting Interface) can be used to trip up PowerShell scripts in an operators arsenal. Attempt to IEX Invoke-Mimikatz...
Read More
Related rules
- Using powershell specific download cradle OneLiner
- Deleting Windows Defender scheduled tasks
- Enabling restricted admin mode
- Bypassing Security Controls - Command Shell
- Obfuscated Commands - Command Shell