← Back to Explore
sigmahighHunting
Potential AMSI Bypass Via .NET Reflection
Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning
Detection Query
selection:
- CommandLine|contains|all:
- System.Management.Automation.AmsiUtils
- amsiInitFailed
- CommandLine|contains|all:
- "[Ref].Assembly.GetType"
- SetValue($null,$true)
- NonPublic,Static
condition: selection
Author
Markus Neis, @Kostastsale
Created
2018-08-17
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1562.001
Raw Content
title: Potential AMSI Bypass Via .NET Reflection
id: 30edb182-aa75-42c0-b0a9-e998bb29067c
related:
- id: 4f927692-68b5-4267-871b-073c45f4f6fe
type: obsolete
status: test
description: Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning
references:
- https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/
- https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
author: Markus Neis, @Kostastsale
date: 2018-08-17
modified: 2023-02-03
tags:
- attack.defense-evasion
- attack.t1562.001
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|contains|all:
- 'System.Management.Automation.AmsiUtils'
- 'amsiInitFailed'
- CommandLine|contains|all:
- '[Ref].Assembly.GetType'
- 'SetValue($null,$true)'
- 'NonPublic,Static'
condition: selection
falsepositives:
- Unlikely
level: high