In this blog, we would like to highlight a scenario which we encountered during a latest internal penetration testing activity conducted by Eventus. It highlights the basic method through which AMSI signature can be bypassed.
Table of Contents
What is AMSI ?
Anti-Malware Signature Interface (AMSI), introduced by Microsoft provides enhanced malware protection capabilities for end-users, their data, applications, and workloads. These capabilities can be used by the antivirus solution to scan the content of PowerShell scripts as well. Microsoft’s native antivirus solution in Windows 10, Windows Defender also supports AMSI. PowerShell Version 5 and above also includes support for AMSI. According to Microsoft Docs, AMSI feature is integrated with below components in Windows 10.
- User Account Control, or UAC (elevation of EXE, COM, MSI, or ActiveX installation)
- PowerShell (scripts, interactive use, and dynamic code evaluation)
- Windows Script Host (wscript.exe and cscript.exe)
- Office VBA macros
Need for Bypass ?
During most of the red teaming exercises or while performing internal penetration testing there comes a situation where-in we have an initial foothold on the system and we are geared up with our script armor to perform local enumeration, domain enumeration, privilege escalation, persistence, code execution, etc. which would serve as threat intel for lateral movement or moving up the cyber kill chain in compromising the domain controller.
In such scenarios, AMSI would detect the “malicious activity” and would block that. Below screenshot shows, one such case when we tried to Import PowerView module.
The AMSI Bypass Journey
There are various techniques to bypass, this kind of protection (most predominantly obfuscation), We would like to describe one of the manual technique which can be useful when the engagement is not time bound. Before diving into the journey, let us first check how may security protection solutions detect PowerView as malicious. For this we used most friendly and commonly used tool Virustotal. Below screenshot shows detection result of PowerView PowerShell Script. The screenshot shows that the detection results are pretty good.
A quick thing which one can do to reduce the detection, is to remove comments and blank lines from the scripts. Most of the scanning engine use the comment string to detect malicious script. To remove comments and extra line space, we use a plugin called ISE-Steriods. Below screenshot shows usage of the plugin.
This will create a new tab which would have the script that do not have comments and blank lines. We can save file and check in virustotal for detections. Below screenshot shows the detection results of this new file and we can observe that the detection has dropped to 3 from 19.
However, upon again trying to import the PowerView module, the AMSI signature detected it and import was not successful.
Hence, we would be identifying triggers in the script which causes these alerts. This is the thumb rule for the bypass techniques. Without understanding what part of script is causing the trigger one cannot proceed with the bypass.
To identify triggers in our PowerShell script we will use a utility called, AmsiTrigger. Below screenshot shows the triggers causing the alerts for our script.
The lines shown in the screenshot are the triggers which is causing the alert due to which our script is getting blocked.
To bypass the detection, we can simply use the concatenation feature of the strings in PowerShell. For example, below are the 2 changes done by us.
In 1st line, we changed GetType(‘System.AppDomain’) to GetType(‘System’+’.’+’AppDomain”)
In last line, I changed ‘krbtgt’ to ‘kr’+’bt’+’gt’
Saving the modified file and running AmsiTrigger on it shows that now no triggers are found. Below screenshot shows the output of AmsiTrigger for reference.
Now renaming to actual file and running the import command again shows that the script got successfully imported and we can invoke functions from the module. Below screenshot shows an example output.
We can also check for detection in virustotal to observe if our this small modification has affected detections or not. Below screenshot shows that the detection score fell to 2 from 3. In reality we were able to bring down the detection score from 19 to 2 and execute our enumeration script.
This blogpost highlights one of the technique (which generally we use) in bypassing the AMSI detections. In most of the cases, by changing or modifying the variable name also would work, but sometimes these triggers are based upon regex and hence harder to find the proper bypass. By sharing IOCs (Indicator of compromise) and each vendor having their own built signatures it is recommended to follow a manual bypass process for each vendor to avoid detections and alerts.