Suspicious Antimalware Scan Interface DLL Creation

The Antimalware Scan Interface (AMSI) is a Windows interface that allows applications and services to integrate with antimalware products. Attackers may attempt to bypass AMSI to execute malicious code without detection. This detection identifies the creation of the AMSI DLL (amsi.dll) in unusual locations, which is a common technique used to load a rogue AMSI module instead of the legitimate one. This technique can be used to evade detection by security products that rely on AMSI for scanning potentially malicious scripts and code. The rule is designed to work with data from Winlogbeat, Elastic Endpoint, Sysmon, Endgame, SentinelOne Cloud Funnel, Microsoft Defender XDR, and Crowdstrike.

Attack Chain

1. An attacker gains initial access to a Windows system through various means (e.g., phishing, exploit).
2. The attacker determines the location of the legitimate amsi.dll file.
3. The attacker identifies a writable directory where a malicious amsi.dll can be placed. This location must be in the search order of applications that use AMSI, such as PowerShell or other scripting hosts.
4. The attacker copies or creates a malicious amsi.dll in the identified location. This rogue DLL is designed to bypass or disable AMSI functionality.
5. A process like PowerShell or another scripting host is launched. Because the malicious amsi.dll is in a higher-priority directory, it is loaded instead of the legitimate AMSI library.
6. The launched process executes malicious code (e.g., PowerShell script).
7. Because the rogue amsi.dll is loaded, AMSI scans are bypassed, allowing the malicious code to execute without detection.

Impact

A successful AMSI bypass can allow attackers to execute malicious code, such as malware, scripts, or exploits, without detection by antimalware products. This can lead to system compromise, data theft, or other malicious activities. The impact can range from a single compromised endpoint to a wider breach of an organization’s network.

Recommendation

• Enable file creation monitoring with Sysmon or Elastic Defend to detect the creation of files, specifically DLLs, in unusual locations.
• Deploy the Sigma rule “Suspicious Antimalware Scan Interface DLL Creation” to your SIEM to detect the creation of amsi.dll in non-standard paths. Tune the rule for your environment.
• Investigate any alerts generated by the Sigma rule by examining the parent process, file path, and user context to determine if the activity is malicious.