How Threat Actors Try and Bypass Microsoft's Antimalware Scan Interface (AMSI)?


With Windows 10 and recent Windows Server platforms gaining importance, the purpose of malware developers and other cybercriminals is progressively targeted to prevent detection, by removing the anti-malware traffic cop from these platforms: Microsoft's Antimalware Scan Interface. 

AMSI, launched in 2015, offers software for communicating to security devices for file scanning, memory scanning or streaming in a supplier-agnostics manner for dangerous payloads. AMSI allows permeability of anti-malware software on Microsoft components and apps, including Windows' PowerShell engine/script hosts (wscript.exe and cscript.exe), Office document macros, the existing.NET Framework (version 4.8), and Windows Management Instrumentation (WMI) — frequently used by adversaries in “living off the land” (LOL) strategies. 

AMSI has recently been improved to integrate Excel 4.0 (XLM) macro scanning in the integration of Office 365 in an attempt to address the surge in malicious macros in an infection vector. 

Sophos experts investigated the methods used to circumvent or deactivate AMSI and stated on Wednesday that threat actors will try everything from living-off-the-ground strategies to file free attacks. 

In a 2016 tweet by the security expert Matt Graeber, the possibility of AMSI-button circumvention was emphasized, Sophos said that a single line of code has swapped the PowerShell feature for AMSI integration and may have theoretically halted PowerShell-based processes from requesting scans. 

Most post-exploitation operations, especially lateral moving, seemed concentrated on detections made between 2020 and 2021. 

The very same bypass was identified back to a specific occurrence, tied to attacks using the Proxy Logon that connected to a remote server to capture a malware downloader based on PowerShell. 

The usage of a Seatbelt, an aggressive security mechanism, is another approach used to overcome AMSI. To build a delegate process using reflecting to access the .NET interface for AmsiUtils, the PowerShell script was utilized. 

Sophos notes, nevertheless, that more than 98% of AMSI circumvention efforts are carried just via manipulating the AMSI library. A variety of malware variants are present that will try to discover the pre-loaded Memory AmsiScanBuffer and then rewrite over instructions to ensure that scanning requests fail. 

The memory element that stores the code to return the buffer scans results may be modified by other versions, leading to a failure. 

Additional tactics include Cobalt Strike – This memory patch approach comes with a PowerShell invoked remote scripts in a PowerShell pre-patch in the Agent Tesla Trojan family, amongst others. One way is to fabricate DLLs to load a false AMSI version from PowerShell. Also, DLL has been an old method and now it's impossible to load unapproved engines, or in most cases virtual machines, because of better Microsoft security (VMs). 

"Given how prevalent those tactics have become, particularly in ransomware operator intrusions, AMSI can play a particularly important role in keeping Windows 10 and Windows Server systems from being compromised," Sophos says. "But AMSI is not a panacea. And while Microsoft's Windows Defender provides some protection against AMSI bypasses, attackers are continuously finding ways to obfuscate and conceal malicious content from anti-malware signature detections."