Tuesday, December 29, 2020

Nullify AMSI Scanner with PowerShell

 AMSI as per Microsoft is: "The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product that's present on a machine. AMSI provides enhanced malware protection for your end-users and their data, applications, and workloads."

AMSI is being used by multiple antimalware products and is known to cause headache to the malicious actors. Hence malicious actors and red teamers started finding ways around disabling AMSI.

Below is one such PowerShell snippet that's making rounds in the wild made use by the actors to nullify AMSI scanner.


The PowerShell code initially gets hold of the "AmsiScannerBuffer" API and changes the memory protection. Post that it replaces the initial '7' bytes of the function with these bytes - "66B80100C21800". When checking the function now the prologue looks much different.


The overwritten bytes made changes in AmsiScanBuffer so that it always returns '1' (AMSI_RESULT_NOT_DETECTED) denoting that the script that is being scanned is not detected, thus nullifying the effect of AMSI.

References

  • https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
  • https://docs.microsoft.com/en-us/windows/win32/api/amsi/nf-amsi-amsiscanbuffer

No comments:

Post a Comment