Introduction

The Antimalware Scan Interface (AMSI) is a robust security feature in Windows that enhances endpoint protection by scanning scripts and code for malicious behavior. Integrated with tools like PowerShell and VBScript, it acts as a proactive defense mechanism. However, attackers have developed sophisticated techniques to bypass AMSI, highlighting the need for a comprehensive understanding of these methods and the strategies to mitigate them. This blog explores key AMSI bypass techniques, their mechanisms, and effective countermeasures.

Understanding AMSI

AMSI is a security interface introduced by Microsoft to provide antivirus and endpoint solutions with a standard API for detecting malicious behavior in scripts. It operates through three primary mechanisms:

1. Code Interception: AMSI intercepts code snippets before execution by embedding hooks within supported interpreters like PowerShell, VBScript, and JScript.
2. Content Scanning: These intercepted snippets are passed to the antivirus engine via amsi.dll. The engine evaluates the content for malicious patterns and suspicious behaviors.
3. Execution Blocking: If flagged as malicious, the code execution is blocked based on detection rules predefined by the antivirus solution.

AMSI integrates seamlessly with Windows Defender Antivirus and third-party endpoint protection tools. By leveraging heuristic and signature-based detection methods, it provides a comprehensive layer of security. However, AMSI’s reliance on exposed APIs and memory processes introduces exploitable vulnerabilities, making it a frequent target for sophisticated attackers.

Techniques to Bypass AMSI

1. Memory Patching

Memory patching involves directly modifying AMSI-related functions in memory to disable its functionality.

Mechanism: Attackers overwrite the amsiScanBuffer function to always return a success status, effectively bypassing detection.

Code Snippet:

$amsi = [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils'); 
$amsi.GetField('amsiInitFailed', 'NonPublic, Static').SetValue($null, $true);

Real-World Example: This method is frequently used in malware like Cobalt Strike, which patches memory to avoid AMSI scans.

2. String Obfuscation

String obfuscation alters recognizable patterns in malicious code, making it difficult for AMSI to detect threats.

Techniques:

• Splitting malicious strings and reconstructing them dynamically.
• Encoding payloads in Base64 and decoding them at runtime.

Example:

$cmd = "c" + "a" + "l" + "c"; 
Invoke-Expression ($cmd);

Why It Works: AMSI scans plain text content. By obfuscating the payload, attackers evade these checks.

3. Hooking

Hooking intercepts AMSI API calls and redirects them to custom functions that neutralize the scan.

Implementation:

• Libraries like Detours in C++ or similar .NET frameworks are used to modify function pointers.
• amsiScanBuffer is redirected to always return a benign response.

Challenges: Requires precise knowledge of memory structures and can be detected by advanced monitoring tools.

4. Environment-Based Evasion

Attackers exploit system configurations or user privileges to disable AMSI or weaken its impact.

Methods:

• Modifying environment variables to disable AMSI integrations.
• Using Set-ExecutionPolicy to lower script execution restrictions:

Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass

5. DLL Hijacking/Replacement

Replacing the amsi.dll file with a tampered or benign version to disable its functionality.

Execution:

• An attacker replaces the DLL in the System32 directory.

Drawbacks:

• Requires administrative privileges.
• Can be detected by integrity-checking mechanisms.

6. Reflection/Unmanaged Code

Attackers use reflective DLL injection or unmanaged code to bypass AMSI by avoiding direct interaction with its functions.

Example:

• Using unmanaged C++ code to load payloads that evade AMSI scans entirely.

7. PowerShell Downgrade Attacks

Downgrading PowerShell to an older version (like v2.0) that does not support AMSI.

Command:

powershell.exe -Version 2

Caveats: Older PowerShell versions lack modern features and might be flagged by monitoring tools.

8. Exploiting Weak AMSI Integration

Attackers exploit incomplete or improperly implemented AMSI hooks in third-party applications.

Example:

• Applications that invoke AMSI improperly or use outdated libraries provide loopholes for bypassing its scans.

Defensive Measures

To counter AMSI bypass techniques, defenders can implement the following measures:

1. Enable Advanced Logging: Use Windows Event Logs and Sysmon to monitor process behavior, API calls, and suspicious activities.
2. Deploy Endpoint Detection and Response (EDR) Tools: Solutions like Microsoft Defender for Endpoint or CrowdStrike Falcon can identify and block AMSI bypass attempts.
3. Regular Updates: Ensure AMSI and associated software are updated to patch known vulnerabilities.
4. Script Block Logging: Enable PowerShell script block logging to capture and analyze suspicious script activity.
5. Code Integrity Checks: Use integrity monitoring tools to detect unauthorized changes to AMSI-related files like amsi.dll.
6. Behavioral Analysis: Leverage machine learning-based tools to analyze behavior indicative of AMSI bypass attempts.

Here’s a more detailed explanation of the real-world case studies related to AMSI bypass techniques:

Real-World Case Studies of AMSI Bypass Techniques

1. Cobalt Strike

Overview: Cobalt Strike is a popular penetration testing tool that is also widely used by cybercriminals and threat actors for exploitation, lateral movement, and post-exploitation activities. It is often associated with advanced persistent threat (APT) groups and is commonly used in sophisticated cyber-attacks.

AMSI Bypass Technique: Cobalt Strike is known for leveraging memory patching to bypass AMSI detection. The tool’s Beacon payload can be injected into the target system, and it has built-in functionality to disable AMSI by overwriting or manipulating the amsiScanBuffer function in memory. This effectively disables AMSI's ability to scan and detect malicious scripts or commands, allowing Cobalt Strike to run undetected.

How it Works:

1. Memory Manipulation: When Cobalt Strike is executed, it modifies the memory addresses of certain Windows functions, specifically amsiScanBuffer, which is used by AMSI to scan script content.
2. Bypassing AMSI: By patching the function, the malware ensures that AMSI always returns a benign status, effectively causing AMSI to “ignore” any malicious code that would otherwise trigger an alert.

Real-World Impact:

• APT Activity: Cobalt Strike is frequently used in large-scale cyber-attacks and is a go-to tool for attackers looking to evade detection by traditional security mechanisms, including AMSI.
• Exploitation in Targeted Attacks: This technique has been observed in various targeted campaigns, where attackers gain initial access via phishing or vulnerability exploits and then deploy Cobalt Strike for further lateral movement and payload deployment.

Defense Recommendations:

• Endpoint Detection and Response (EDR): Solutions like CrowdStrike Falcon can help detect Cobalt Strike and its associated bypass techniques, including memory manipulation.
• Behavioral Analysis: EDR tools can analyze suspicious behaviors such as memory tampering and unusual PowerShell executions.

2. Invoke-Obfuscation

Overview: Invoke-Obfuscation is a popular PowerShell obfuscation framework that is often used to generate obfuscated PowerShell scripts, making them harder for security tools, including AMSI, to detect.

AMSI Bypass Technique: Invoke-Obfuscation relies heavily on string obfuscation and dynamic payload encoding to avoid detection by AMSI. It allows attackers to encode or obfuscate PowerShell commands, payloads, and strings, making it more difficult for AMSI to recognize and flag the scripts.

How it Works:

1. String Obfuscation: By splitting strings into smaller parts or encoding them in Base64 or other formats, attackers can create PowerShell scripts that AMSI is unable to read or detect. The obfuscated script can later reassemble itself at runtime, evading AMSI.
2. Dynamic Payloads: Payloads are often encoded in Base64 or XOR encoded, which makes it harder for AMSI to detect them when scanning static code. The script will decode the payload at runtime, which means AMSI scans occur before the payload is fully reassembled.

Real-World Impact:

• Red Team Activities: Invoke-Obfuscation is commonly used in red teaming and penetration testing, where ethical hackers use obfuscation techniques to simulate real-world adversary behaviors and test security defenses.
• Malware Campaigns: In malicious campaigns, attackers use Invoke-Obfuscation to deliver PowerShell-based malware payloads while evading AMSI detection. This method is widely used in campaigns involving ransomware, banking trojans, and other forms of malware that rely on PowerShell for execution.

Defense Recommendations:

• PowerShell Script Block Logging: Enable script block logging in PowerShell to capture and analyze all executed scripts. This can help identify obfuscated or suspicious activity even if AMSI cannot flag it.
• EDR Tools: Using EDR tools that specialize in behavioral analysis can help detect obfuscated PowerShell scripts during execution, even if they evade AMSI.

3. Emotet

Overview: Emotet is a well-known banking trojan that evolved into a highly modular and polymorphic malware family. It is often distributed through phishing emails containing malicious attachments or links. Once executed, Emotet can download additional payloads, including ransomware or information stealers.

AMSI Bypass Technique: Emotet employs a combination of string obfuscation and reflection/unmanaged code techniques to bypass AMSI. The trojan may use PowerShell scripts to execute its payloads, and these scripts are often obfuscated using techniques that evade AMSI’s scanning capabilities.

How it Works:

1. String Obfuscation: Emotet uses string splitting and Base64 encoding to obfuscate malicious commands or scripts, making them difficult for AMSI to detect.
2. Reflection/Unmanaged Code: Emotet can inject and execute code dynamically using .NET reflection or unmanaged code techniques, which bypass the need for AMSI to scan the payload before execution. This allows the malware to load its components from memory without interacting with AMSI directly.

Real-World Impact:

• Ransomware and Data Theft: Emotet has been responsible for spreading various types of malware, including ransomware like Ryuk and TrickBot. The use of AMSI bypass techniques has allowed it to operate stealthily and maintain persistence within compromised networks.
• Targeted Phishing Campaigns: Emotet is often distributed via phishing emails, making it a serious threat to organizations that fail to secure their email gateways.

Defense Recommendations:

• Email Filtering: Implement advanced email filtering solutions that can detect phishing emails and block malicious attachments or links before they reach end users.
• EDR Monitoring: Leverage EDR solutions to detect abnormal PowerShell executions or reflective code loading that may indicate the presence of Emotet or similar malware.

Conclusion

AMSI bypass techniques showcase the continuous arms race between attackers and defenders. While attackers innovate new methods to evade detection, understanding these techniques empowers defenders to strengthen their security posture. By combining proactive monitoring, robust configurations, and continuous education, organizations can mitigate the risk posed by AMSI bypasses.