AMSI Bypass Flashcards
What is AMSI?
A Windows security feature that scans scripts (like PowerShell) for malicious code before they run.
Why bypass AMSI?
To run scripts (even legitimate ones) that might be flagged as malicious by AMSI’s detection rules.
Patching AmsiScanBuffer
Modifying the AMSI function in memory to force it to always return “clean,” disabling scans.
Obfuscation (3 methods)
String Splitting: “Inv” + “oke-Mimikatz”.
Base64: Encoding commands to hide them.
XOR: Encrypting strings to evade detection.
Alternative Execution (3 methods)
CLR: Running .NET code in PowerShell.
C# via PowerShell: Compiling C# code dynamically.
Unmanaged DLLs: Loading external libraries not scanned by AMSI.
What tool is often blocked by AMSI?
Mimikatz (used for credential dumping). Example: Invoke-Mimikatz.
Why does patching AmsiScanBuffer work?
AMSI can’t scan scripts if its core function is broken in memory.
Why does obfuscation evade detection?
AMSI looks for exact malicious strings. Obfuscation hides those strings.
Why use unmanaged DLLs?
AMSI doesn’t scan code loaded from external DLLs, making them harder to detect.
