Potential Antimalware Scan Interface Bypass via PowerShell

This detection identifies PowerShell scripts that attempt to circumvent the Antimalware Scan Interface (AMSI), a security feature in Windows designed to prevent the execution of malicious scripts and code. Attackers use AMSI bypass techniques to disable real-time scanning and execute malicious PowerShell code without detection. The bypasses often involve manipulating AMSI’s internal state or patching its scanning routines. This allows attackers to deliver and execute payloads undetected, leading to potential system compromise. This technique is actively used by various threat actors to evade defenses.

Attack Chain

1. An attacker gains initial access to the system, typically through phishing or exploiting a vulnerability.
2. The attacker executes a PowerShell script.
3. The PowerShell script contains code designed to bypass AMSI, such as manipulating the AmsiScanBuffer function or unmanaged code injection.
4. The AMSI bypass is executed, disabling real-time scanning of PowerShell scripts.
5. The attacker then executes a malicious payload within the same PowerShell session, which is no longer subject to AMSI scanning.
6. The malicious payload performs actions such as downloading additional malware, establishing persistence, or exfiltrating data.
7. The attacker leverages the compromised system for further lateral movement or to achieve their objectives, such as data theft or ransomware deployment.

Impact

Successful AMSI bypass can lead to the execution of arbitrary code on the affected system, potentially resulting in data breaches, system compromise, and the installation of malware. Because AMSI is a core component of Windows security, its bypass represents a significant security risk.

Recommendation

• Enable PowerShell Script Block Logging to capture the contents of PowerShell scripts, which is essential for this detection to function effectively (reference: Setup section).
• Deploy the Sigma rule “Potential Antimalware Scan Interface Bypass via PowerShell” to detect scripts containing known AMSI bypass techniques (reference: rules section below).
• Investigate alerts generated by the Sigma rule, focusing on the script content and the context in which it was executed to identify potential malicious activity (reference: note section).