Bypass Antimalware Software by tricking AMSI

What is AMSI

Microsoft has developed a new API called Anti-Malware Scan Interface (AMSI) that allows developers to send content to vendor endpoint security agents for scanning, no matter where the content originates. To combat fileless malware, the Anti-Malware Scan Interface was developed by Microsoft. AMSI takes content from scripting interpreters or other operating system components and sends them to the installed Anti-Virus software for analysis. When an application attempts to submit content to be scanned by an AMSI provider, it loads amsi.dll and calls its AmsiInitialize and AmsiOpenSession functions to establish an AMSI session. The content is then submitted via AmsiScanString or AmsiScanBuffer functions. This new API provides a critical layer of security for developers and their applications.

At a high level, AMSI acts like a bridge, connecting PowerShell to antivirus software. Every command or script run inside PowerShell is fetched by AMSI and sent to installed antivirus software for inspection. Initially, AMSI was only introduced for PowerShell, but later it was integrated into JScript, VBScript, VBA, and .NET with the introduction of .NET framework 4.8. Stay ahead of the game and keep your systems secure with AMSI. AMSI is not only restrcited to be used in Powershell, Jscript, VBScript or VBA, anyone can integrate AMSI with their programs using the API calls provided by AMSI Interface. The AMSI API calls that the program can use (in our case powershell) is defined inside amsi.dll. As soon as the powershell process has started, amsi.dll is loaded into it. We can verify it with?Process Hacker.

Now that we have covered the basics of AMSI, let's dive into some well-known techniques to bypass it. Red-teamers often need to execute arbitrary code for lateral movement/privilege escalation, making bypassing AMSI a necessary skill. It's worth mentioning that AMSI blocks certain keywords like "invoke-mimikatz" or "amsiutils" since they are widely known to be used for exploitation.

AMSI exports the below mentioned API functions that the program uses to communicate with the local antivirus software through RPC.

• AmsiInitialize:?The program uses this method to initialize the AMSI session. It takes two parameters, one is the name of the application and second is the pointer to the context structure which needs to be specified with subsequent AMSI related API calls in the program.

HRESULT AmsiInitialize(

??? LPCWSTR appName,

??? HAMSICONTEXT *amsiContext

);

• AmsiOpenSession:?It takes the context that was returned from the previous call and allows to switch to that session. We can instantiate multiple AMSI sessions if we want.

HRESULT AmsiOpenSession(

? HAMSICONTEXT amsiContext,

? HAMSISESSION *amsiSession

);

• AmsiScanString:?This method does what exactly it sounds like. It takes our strings and returns the results i.e., 1 if the string is clean and 32768 if it’s malicious.

HRESULT AmsiScanString(

? HAMSICONTEXT amsiContext,

? LPCWSTR????? string,

? LPCWSTR????? contentName,

? HAMSISESSION amsiSession,

? AMSI_RESULT? *result

);

• AmsiScanBuffer:?Similar to AmsiScanString, this method takes in the buffer instead of string and returns the result.

HRESULT AmsiScanBuffer(

? HAMSICONTEXT amsiContext,

? PVOID??????? buffer,

? ULONG??????? length,

? LPCWSTR????? contentName,

? HAMSISESSION amsiSession,

? AMSI_RESULT? *result

);

• AmsiCloseSession:?This method just closes the session that was opened by the program using the AmsiOpenSession.

·?????? void AmsiCloseSession(

·?????? HAMSICONTEXT amsiContext,

·?????? HAMSISESSION amsiSession

);

Source:?Microsoft Docs

Among these AMSI APIs, the one which is interesting to us is AmsiScanString and AmsiScanBuffer. AmsiScanString later calls AmsiScanBuffer underneath.

How to Bypass AMSI

There are two commonly used methods for bypassing AMSI. These methods include obfuscation and patching amsi.dll in memory. The purpose of AMSI is to pass content to the antivirus software to determine if it's malicious or not. However, if the content is obfuscated, there's no way for the antivirus software to tell if it's malicious. This is why obfuscation is a commonly used method for bypassing AMSI.

Patching amsi.dll in memory is another technique used for bypassing AMSI. In this method, the attacker modifies the amsi.dll file in memory to disable or bypass the AMSI scan. It's important to keep in mind that these methods are often used by attackers to bypass security measures.

As technology continues to advance, so do the measures taken to detect malicious scripts. But what if we could run any script without being detected? According to recent findings, obfuscating or stripping the words in our script that get detected by AV can achieve just that. However, it's important to note that this process isn't always feasible, as it can take more time or even break the script. Additionally, AV keeps updating its signature, so it's crucial that we keep updating our scripts accordingly.

The other widely used method for bypassing anti-virus software is patching the AmsiScanBuffer function. This is because the amsi.dll library is loaded in the same virtual memory space as the process, giving you full control in that address space. Keep in mind that every AV vendor has different signatures and they constantly update, making obfuscation less feasible.

Manually finding an AMSI bypass

Analysts can look for processes bypassing AMSI in and via the following areas:

Registry

o?? HKLM\SOFTWARE\Microsoft\AMSI\Providers\ *\Microsoft\Windows Script\Settings\AmsiEnable COM Hijacking

·?????? Code execution (such as patterns, file names, and fuction names, among others)

o?? PowerShell 2.0

o?? AmsiInitialize + VirtualProtect

o?? GetProcAddress + VirtualProtect

o?? LoadLibrary + any AMSI or related DLL

·?????? Memory

·?????? AMSI and related DLLs (DLL hijacking via?amsi.dll)

·?????? Various hooks

?