Details

• ID: CM0110
• Version: 1.0
• Created: 14 March 2025
• Modified: 14 March 2025
• Type: Examine
• Status: Active

Intended Outcome

Detecting adversary attempts to bypass or disable the Anti-Malware Scan Interface (AMSI) blocks or restricts the adversary from defense evasion and actions on objectives using malicious scripts or macros.

Introduction

The Anti-Malware Scan Interface pairs with Windows Defender and provides detection for in-memory malware that uses obfuscation or evasion techniques via built-in scripting hosts. AMSI analyzes the contents of scripts after they are loaded into memory but before they are executed and serves as protection against fileless malware. Applications that send data to AMSI for content scanning include: PowerShell, VBScript, Visual Basic Application (VBA) macros in Office documents, .NET scripts, and Windows Management Interface (WMI). AMSI additionally logs its own bypass attempts. Adversaries that bypass AMSI can run malicious scripts or macros and further perform other techniques to accomplish their objectives. A common follow-up to AMSI bypasses is reflective loading of malicious code, so that no scripts are written to disk. By detecting bypass attempts, responders can contain the incident by preventing further actions of malicious macros or scripts, which may aid the adversary in lateral movement, defense evasion, exfiltration, or privilige escalation. Newly discovered bypass attempts may be undetected.

Preparation

• Determine whether AMSI is enabled in the environment via the registry key `HKCU\Software\Microsoft\Windows Script\Settings\AmsiEnable`; a value of 0 means AMSI is disabled. Determine what effects enabling it places on business operations.
• Determine which applications and services using AMSI are present in the environment.
• Perform a backup of the registry before making any changes.

Risks

Process creation and process commandline logging produce large quantities of logs and can be difficult to automate filtering or alert on. Sufficient storage for logs is recommended. Continuous monitoring may help refine captured logs and increase actionable data.

Guidance

Adversaries may use several ways to bypass AMSI, many of which happen during runtime of the service and may be difficult to detect and contain once running. Adversaries do not need administrator or admin privileges to run these bypasses. Monitor script execution via PowerShell and VBA macros.

Detect AMSI Bypass via Registry Keys

• Check if the registry key `HKCU\Software\Microsoft\Windows Script\Settings\AmsiEnable` is set to 0. If it is, then AMSI is disabled. Reset the registry key to 1.
• Monitor changes to the `HKCU\Software\Microsoft\Windows Script\Settings\AmsiEnable` registry key setting values to '0' to detect future bypasses using this method.

Detect AMSI Bypass via Scripting or Macros

• Monitor PowerShell scriptblocks containing calls to CreateThread, DllImport, Bypass, or VirtualAlloc. More suspicious words are listed in "Better Know a Data Source" in the References section. Some of these logs may be triggered by legitimate system administration duties.
• Monitor for commands encoded in Base64.
• Monitor for commands containing a lot of special symbols such as (+, =, $).
• Monitor the process commandline for commands to downgrade to a version of PowerShell before the implementation of AMSI with commands containing `powershell.exe -v 2` or `powershell.exe -version 2`, where PowerShell may be referred to as `powershell.exe` or `powershell`, and for all PowerShell event logs with ID 400. Remove or disable the Powershell 2.0 engine from the operating system if it is not necessary for critical business functions.
• On execution of AMSI, monitor function memory addresses in Amsi.dll for tampering: check that the instructions have not changed from their initial expected values.
• Monitor hash integrity of the Amsi.dll code section for unauthorized patches.
• Monitor process calls to `amsiutils`.
• Terminate or quarantine suspicious PowerShell sessions where one or more of the above behaviors were observed.

References

• Antimalware Scan Interface (AMSI) Win32 apps | https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal
• Anti-Anti-malware Scan Interface (AMSI) integration with Microsoft Defender Antivirus | https://learn.microsoft.com/en-us/defender-endpoint/amsi-on-mdav
• PowerShell Red Canary Threat Detection Report | https://redcanary.com/threat-detection-report/techniques/powershell/
• Better know a data source: Antimalware Scan Interface | https://redcanary.com/blog/threat-detection/better-know-a-data-source/amsi/