Description
Generates an obfuscated PowerShell Anti-Malware Scan Interface bypass.
Overview
This pipeline generates an obfuscated AMSI bypass in PowerShell. These techniques are only guaranteed to bypass the scanning of PowerShell commands. While some techniques are more ubiquitous and can mitigate things such as scanning of .NET modules being loaded, other techniques are specific to PowerShell. For example, the ‘ContextError’ technique only prevents PowerShell commands from being submitted to the installed AV while the ‘PatchInMemory’ technique bypasses all submissions to the installed AV.
Techniques
| Technique | Bypasses |
|---|---|
| ContextError | PowerShell Commands Only |
| InitFailed | PowerShell Commands Only |
| PatchAddType | Fully Mitigates AMSI (detected by Windows Defender) |
| PatchInMemory | Fully Mitigates AMSI (detected by Windows Defender) |
| PatchScanContent | PowerShell Commands Only |
| AmsiScanBufferStringReplace | .NET Assemblies Loaded with Assembly.Load(byte[]) only |
Employment Considerations
- The techniques that fully mitigate AMSI are more likely to be detected and prevented by an EDR due to the memory manipulation to patch AMSI:AmsiScanBuffer.
- The techniques that fully mitigate AMSI can be used to securely load .NET modules.
- The techniques that only mitigate PowerShell are more likely to bypass EDR.