Threat Research

Detecting Windows AMSI Bypass Techniques

Securonix

The article explains how Windows AMSI can be bypassed and how security teams can detect such abuse using Trend Micro Vision One and related products. It also outlines common bypass techniques, real-attack examples, and practical indicators for defenders. #AMSIBypass #TrendMicroVisionOne

Keypoints

  • AMSI is a Windows security feature that allows applications to integrate with security products to scan data for threats.
  • Historically, AMSI bypass methods included obfuscation, memory patching, hooks, and DLL hijacking; attackers have increasingly used AMSI bypass as a feature in malware.
  • Common components AMSI can scan include PowerShell, Windows Script Host, JavaScript/VBScript, Office macros, Excel macros, .NET, and WMI.
  • Manual detection areas include registry settings, specific AMSI-related processes, and provider modules (e.g., AmsiInitialize/VirtualProtect, amsi.dll).
  • Real attacks show AMSI bypass used alongside payloads, process injections, and miner configurations, often starting with PowerShell after initial access.
  • Observability through Trend Micro Vision One and related platforms enables “Observed Attack Techniques” with high-severity indicators for AMSI bypass events.
  • The article emphasizes the need for comprehensive visibility across endpoints to correlate detections and improve incident response for fileless and AMSI-related threats.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files and Information – Obfuscation and/or encryption used to bypass AMSI detection. “Obfuscation and/or encryption”
  • [T1059] Command and Scripting Interpreter – PowerShell and other scripting hosts (PowerShell, Windows Script Host, JavaScript, VBScript) used to execute and load payloads.
  • [T1047] Windows Management Instrumentation – WMI is listed among components AMSI can scan and is used in some threat activities.
  • [T1112] Modify Registry – Registry modifications to AMSI-related keys (e.g., AMSI providers/settings) to weaken defenses.
  • [T1574] DLL Search Order Hijacking – DLL hijacking via amsi.dll as a method to bypass AMSI protections.
  • [T1055] Process Injection – Techniques like hooks, memory patches, and direct process injection used to subvert AMSI and perform malicious actions (including process hollowing on InstallUtil.exe).
  • [T1562] Impair Defenses – AMSI bypass itself as a defensive evasion tactic to weaken security controls.
  • [T1055] Process Injection – Process hollowing on InstallUtil.exe as part of delivering payloads and evading detection.

Indicators of Compromise

  • [URL] payload download endpoints – http://89.34.27.167/ps1-6.exe, http://89.34.27.167/lol.ps1, and http://89.34.27.167/xx.xml (used to fetch scripts and payloads)
  • [IP Address] 89.34.27.167 – host for the listed URLs and payloads
  • [File] ps1-6.exe, lol.ps1, xx.xml – filenames associated with the downloader, script, and data/config/xml payloads

Read more: https://www.trendmicro.com/en_us/research/22/l/detecting-windows-amsi-bypass-techniques.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint