Skip to content
Threat Feed
high advisory

Suspicious Antimalware Scan Interface DLL Creation

The rule detects the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location, potentially indicating an attempt to bypass AMSI by loading a rogue AMSI module, a technique used for defense evasion.

This detection rule identifies the creation of the Antimalware Scan Interface (AMSI) DLL in unusual locations on Windows systems. AMSI is a standard that allows applications and services to integrate with antimalware products. Attackers may attempt to bypass AMSI by loading a rogue AMSI DLL, allowing them to execute malicious code without detection. This technique is often employed after successful initial compromise and during the execution phase to evade defenses. The detection logic focuses on file creation events where the file name is "amsi.dll" or "amsi" and the file path is outside the expected system directories. The rule is designed to work across multiple data sources, including Winlogbeat, Sysmon, Elastic Endgame, SentinelOne, Microsoft Defender XDR, and Crowdstrike.

Attack Chain

  1. An attacker gains initial access to a Windows system (e.g., via phishing or exploitation of a vulnerability).
  2. The attacker attempts to execute malicious code, such as a PowerShell script or macro.
  3. To evade detection by AMSI, the attacker copies or creates a malicious "amsi.dll" in a non-standard directory (e.g., a user's temp directory or a newly created folder).
  4. The attacker modifies the system's DLL search order or uses other techniques (e.g., registry modification or process injection) to ensure that the malicious AMSI DLL is loaded instead of the legitimate one.
  5. The malicious code is then executed, with AMSI bypassed or impaired, allowing the attacker to perform actions such as privilege escalation, lateral movement, or data exfiltration.
  6. The attacker uses the compromised host to move laterally to other systems within the network using tools like PowerShell or WMI.
  7. The attacker establishes persistence on the compromised system by creating scheduled tasks or modifying registry keys.
  8. The final objective is often data exfiltration or ransomware deployment.

Impact

A successful AMSI bypass can lead to the execution of arbitrary malicious code on a Windows system without detection by the system's antimalware solution. This can result in data theft, system compromise, ransomware infection, and other severe consequences. The number of victims depends on the scope of the attacker's campaign, but any system vulnerable to this bypass is at risk. Organizations in all sectors are potential targets.

Recommendation

  • Deploy the Sigma rule "Suspicious AMSI DLL Creation" to your SIEM and tune for your environment to detect the creation of AMSI DLL in unusual locations.
  • Enable file creation monitoring with tools like Sysmon or Elastic Defend to capture the necessary events for the Sigma rule to function.
  • Investigate any alerts generated by the Sigma rule by examining the process execution chain and the origin of the created DLL as described in the rule's description.
  • Regularly review and update exclusions in the Sigma rule to avoid false positives, taking into account legitimate software installations that may create AMSI DLL files in specific locations.

Detection coverage 2

Suspicious AMSI DLL Creation

high

Detects the creation of amsi.dll in unusual locations, indicating potential AMSI bypass attempts.

sigma tactics: defense_evasion techniques: T1562.001, T1574.001 sources: file_event, windows

AMSI DLL Load from Unusual Location

high

Detects the loading of amsi.dll from unusual locations, indicating potential AMSI bypass attempts.

sigma tactics: defense_evasion techniques: T1562.001, T1574.001 sources: image_load, windows

Detection queries are available on the platform. Get full rules →