AMSI: A Flawed Security System
WHAT IS AMSI?
Microsoft Anti-Malware Scan Interface (AMSI) is a system interface that allows applications and services to scan dynamic-link library (DLL) and script content for malware. It was introduced in Windows 10 and is designed to protect against malware that is executed through scripting languages, such as PowerShell, VBScript, and JavaScript. These languages are commonly used in various types of attacks, such as fileless attacks and lateral movement, as they provide a convenient way to execute code on a target system (Microsoft, n.d.).
AMSI works by registering a callback function with it's interface, which allows the application or service to scan the script content before it is executed. The callback function sends the script content to the registered anti-malware service provider (AMSP) for analysis. If the AMSP detects any malicious signatures in the script, it will block the execution and alert the user (Microsoft, n.d.).
By default, Windows Defender is the AMSP for AMSI. However, other AMSPs, such as third-party antivirus solutions, can also be registered there as well. These AMSPs can update their malware signatures regularly to protect against new threats (Microsoft, n.d.).
EXPLOITATION
One common technique is obfuscation, where hackers use techniques such as encoding, encryption, and variable substitution to make the script content difficult to detect by AMSI and AMSPs. For example, hackers can use base64 encoding to encode the script content, which AMSI cannot scan by default. They can then use a decoder function within the script to decode the content before execution, effectively bypassing AMSI.
Hackers can also disable AMSI by modifying the registry, deleting the AMSI DLL, or patching the AMSI functions to prevent them from being called. For instance, they can use the Set-MpPreference cmdlet to disable Windows Defender, which would also disable AMSI.
Another way that hackers bypass AMSI is by using scripts that force it to be unloaded from the current powershell session. A good example of this is the now widely used "Reflection Method" that was discovered by Matt Graebers. This method of derailing AMSI in the current powershell proccess uses a combination of normalization, string concatenation, and field names to essentially confuse the process. This allows the hacker the ability to execute malicious code following the reflective script and not have to worry about a detection. An example of such script can be seen below:
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)Hackers can also use signed scripts to bypass AMSI, as it does not scan signed scripts by default. By using a legitimate signed script, hackers can execute malicious code without triggering any security flags.
PROTECTION
To protect against these types of attacks, it is important for organizations to keep their AMSPs up to date and to use additional security measures, such as application whitelisting and network segmentation. Application whitelisting allows organizations to specify which applications are allowed to run on their systems, effectively blocking any unknown or malicious applications. Network segmentation involves dividing a network into smaller, isolated segments, which limits the spread of malware and reduces the attack surface.