AMSI Bypass

Antimalware Scan Interface

https://amsi.fail/
https://github.com/subat0mik/whoamsi
https://blog.f-secure.com/hunting-for-amsi-bypasses/
https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/
https://pentestlaboratories.com/2021/05/17/amsi-bypass-methods/
https://iwantmore.pizza/posts/amsi.html
https://fluidattacks.com/blog/amsi-bypass-python/
https://www.offsec.com/offsec/amsi-write-raid-0day-vulnerability/

AMSI Test Sample:

PS > Invoke-Expression "AMSI Test Sample: 7e72c3ce-861b-4339-8740-0ac1484c1386"

Memory Patching

https://github.com/Mr-Un1k0d3r/AMSI-ETW-Patch
https://www.blazeinfosec.com/post/tearing-amsi-with-3-bytes/
https://github.com/ZeroMemoryEx/Amsi-Killer

Patch AmsiScanBuffer

https://rastamouse.me/memory-patching-amsi-bypass/
https://github.com/rasta-mouse/AmsiScanBufferBypass/blob/main/AmsiBypass.cs
https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell#patching-amsidll-amsiscanbuffer-by-rasta-mouse
https://github.com/ShorSec/AMS-BP/blob/master/Source.cs
0x00-0x00.github.io/research/2018/10/28/How-to-bypass-AMSI-and-Execute-ANY-malicious-powershell-code.html

Patch AMSI Provider

https://www.blackhat.com/asia-22/briefings/schedule/#amsi-unchained-review-of-known-amsi-bypass-techniques-and-introducing-a-new-one-26120
https://github.com/deepinstinct/AMSI-Unchained/blob/main/InitializationInterception.ps1
https://github.com/deepinstinct/AMSI-Unchained/blob/main/ScanInterception_x64.ps1
https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell#patch-the-providers-dll-of-microsoft-mpoavdll
https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell#scanning-interception

List registered AMSI Providers (same as AMSIProviders):

$providers = Get-ChildItem "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name
foreach ($p in $providers) { Get-ItemProperty "HKLM:\SOFTWARE\Classes\CLSID\$p\InprocServer32" }

Registry & Filesystem

https://www.pavel.gr/blog/neutralising-amsi-system-wide-as-an-admin

Hardware Breakpoints (Patchless Bypass)

https://ethicalchaos.dev/2022/04/17/in-process-patchless-amsi-bypass/
https://gist.github.com/CCob/fe3b63d80890fafeca982f76c8a3efdf
https://gist.github.com/susMdT/360c64c842583f8732cc1c98a60bfd9e
https://github.com/ShigShag/AMSI-Bypass-via-Page-Guard-Exceptions

Ghosting AMSI

https://medium.com/@andreabocchetti88/ghosting-amsi-cutting-rpc-to-disarm-av-04c26d67bb80
https://github.com/andreisss/Ghosting-AMSI
https://github.com/cod3nym/Ghosting-AMSI
https://sabotagesec.com/love-for-microsoft-component-object-model-rpc-and-amsi-attack-surface/

Last updated 4 months ago