Bypass Windows Amsi

What is Windows Amsi

The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product that's present on a machine. AMSI provides enhanced malware protection for your end-users and their data, applications, and workloads. By default windows defender interacts with the AMSI API to scan PowerShell scripts, VBA macros, JavaScript and scripts using the Windows Script Host technology during execution to prevent arbitrary execution of code.

How does it work?

When a user executes a script or initiates PowerShell, the AMSI.dll is injected into the process memory space. Prior to execution the following two API’s are used by the antivirus to scan the buffer and strings for signs of malware.

1. AmsiScanBuffer()

2. AmsiScanString()

If a known signature is identified execution doesn’t initiate and a message appears that the script has been blocked by the antivirus software. The following diagram illustrates the process of AMSI scanning.

Testing for Amsi Bypass

https://github.com/rasta-mouse/AmsiScanBufferBypass

Amsi-Bypass-Powershell

https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell

Resources

• https://blog.f-secure.com/hunting-for-amsi-bypasses/

• https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/

• https://github.com/cobbr/PSAmsi/wiki/Conducting-AMSI-Scans

• https://slaeryan.github.io/posts/falcon-zero-alpha.html