In the past, attackers often used scripts or executables to have their malware run on client systems. But antivirus products got better and better over the years, which meant that file-based malware could be more easily identified and removed.

For malware authors, this was a serious problem that they tried to circumvent, and so they came up with the solution to run their malicious code directly in memory, without touching the hard disk. So, specifically, built-in programs such as PowerShell, VBScript, JavaScript, and other tools are being used to run their malware attacks. Attackers became creative and obfuscated their code so that it’s not obviously identified as malware.

Microsoft came up with a solution to inspect the code before running it, called the Antimalware Scan Interface (AMSI). AMSI has developed accordingly and can even protect against the most obfuscated attacks. However, it’s a constant cat-and-mouse...

To make the most of this chapter, ensure that you have the following:

• PowerShell 7.3 and above
• Visual Studio Code installed
• Ghidra installed
• Some basic knowledge of assembly code and debuggers
• Access to the GitHub repository for this chapter:

https://github.com/PacktPublishing/PowerShell-Automation-and-Scripting-for-Cybersecurity/tree/master/Chapter12

AMSI is an interface that was designed to help with malware defense. Not only PowerShell but also other languages such as JavaScript and VBScript can profit from it. It also gives third-party and self-written applications the option to protect their users from dynamic malware. It was introduced with Windows 10/Windows Server 2016.

Currently, AMSI is supported for the following products:

• PowerShell
• Office Visual Basic for Applications macros
• VBScript
• Excel 4.0 (XLM) macros
• Windows Management Instrumentation
• Dynamically loaded .NET assemblies
• JScript
• MSHTA/JScript9
• User Account Control
• Windows Script Host (wscript.exe and cscript.exe)
• Third-party products that support AMSI

Like other APIs, AMSI provides an interface to the Win32 API and the COM API. AMSI is an open standard so it is not limited to PowerShell only; any developer can develop their application accordingly to support AMSI, and any...

Before we dive deeper into what exactly AMSI is, let’s first look at the why. As I mentioned in the introduction of this chapter, it’s an ongoing battle between attackers and defenders. Attackers try to launch successful attacks, while defenders try to prevent them.

In the early days, it was quite easy for attackers. Often, they just had to write a script to perform their malicious actions, but soon, defenders reacted to that so that their malicious intentions were detected and blocked. Attackers had to obfuscate their actions to launch successful attacks.

In order to analyze the content, antimalware vendors can create their own in-process COM server (DLL) that serves as an AMSI provider and register it under the following registry paths:

• HKLM\SOFTWARE\Microsoft\AMSI\Providers
• HKLM\SOFTWARE\Classes\CLSID

A vendor can register one or more AMSI provider DLLs.

When an application (such as PowerShell) submits content...

AMSI is really helpful for defenders when it comes to preventing malicious code from getting executed. But attackers would not be attackers if they did not try to find a way to bypass AMSI. In this section, we will look at some common techniques.

Most bypasses I have come across are somehow trying to tamper with amsi.dll. Most of the time, the goal is to either manipulate the result so that malicious code appears clean by replacing amsi.dll with a custom one or by avoiding amsi.dll completely.

Often, when there’s a new bypass found that people blog about, it gets immediately fixed and detected shortly after it is released.

Joseph Bialek originally wrote the Invoke-Mimikatz.ps1 script to make all Mimikatz functions available via PowerShell.

Invoke-Mimikatz is a part of the nishang module and can be downloaded from GitHub: https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Invoke-Mimikatz.ps1.

To demonstrate the examples here, I have...

AMSI is a great tool that helps you to secure your environment. It already protects you against most malicious code and since malware vendors constantly improve their solutions, it will help you against most known (and probably even some unknown) threats as long as you keep your antimalware software up to date.

But similar to other solutions, it’s of course not the solution to everything and there are ways to bypass it. However, since antimalware vendors are always looking out for new discoveries to improve their products, there will be a detection shortly after a bypass is discovered.

AMSI is one part of the solution but not the entire picture, and to keep your environment as secure as possible, there are many other ways that you need to keep in mind. In Chapter 13, What Else? – Further Mitigations and Resources, we will look at what else you can do to secure your environment.

If you want to explore some of the topics that were mentioned in this chapter, check out these resources:

• IAntimalwareProvider interface (amsi.h): https://learn.microsoft.com/en-us/windows/win32/api/amsi/nn-amsi-iantimalwareprovider
• AMSI for the developer audience, and sample code: https://learn.microsoft.com/en-us/windows/win32/amsi/dev-audience
• Better know a data source: Antimalware Scan Interface: https://redcanary.com/blog/amsi/
• Fileless threats: https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/fileless-threats
• Bypass AMSI by manual modification

Part 1: https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/

Part 2: https://s3cur3th1ssh1t.github.io/Bypass-AMSI-by-manual-modification-part-II/

• Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science: https://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion...