BLOG
Bypassing AMSI SIGNATURE DETECTION
INTRODUCTION
As part of my preparation for the Offensive Security Experienced Penetration Tester (OSEP) certification, I embarked on an exercise to test AMSI (Antimalware Scan Interface) bypass techniques on a Windows 11 environment. AMSI is a security feature that helps to prevent malicious scripts from executing by scanning them in real-time. The challenge was to find a way to load and execute a DLL with shellcode while avoiding detection by AMSI and Windows Defender. This blog details the journey, the obstacles faced, and how we ultimately overcame them by chaining multiple PowerShell scripts together.
The Initial Approach: Using Invoke-Expression (IEX)
Initially, I attempted to use the classic Invoke-Expression (IEX) method to execute a single PowerShell script designed to bypass AMSI and load the DLL. The script included a combination of AMSI bypass techniques and loading the DLL with shellcode. Here’s the original script:
Encountering Obstacles
When running this script, I encountered several errors related to syntax and method invocation. Here's an example of the error output:
Even when the AMSI bypass function was tested standalone and worked perfectly when pasted directly into the PowerShell session, it failed when invoked via IEX. This indicated that the script execution context provided by IEX was causing issues, likely due to AMSI and Windows Defender heuristics detecting and flagging the entire script.
The Solution: Chaining Multiple PowerShell Scripts
To overcome these challenges, I decided to break the AMSI bypass process into smaller, discrete steps. By splitting the script into multiple parts and chaining them together using IEX, each part could execute independently, reducing the likelihood of detection. Here’s how I did it:
Step 1: Initial Setup Script
The first script downloads and runs the next part of the bypass sequence.
Step 2: AMSI Bypass Part 1
The second script contains the initial AMSI bypass function definitions.
Step 3: AMSI Bypass Part 2
The third script completes the AMSI bypass by invoking the necessary functions.
Execution
Finally, I executed the initial script in the PowerShell session of the victim machine, which in turn chained the other scripts and effectively bypassed AMSI and allowed our shellcode DLL to not trigger heuristics:
Conclusion
By breaking down the AMSI bypass process into smaller scripts and chaining them together, I was able to bypass AMSI and load the DLL without being flagged by Windows Defender. This approach demonstrates the importance of adapting techniques and thinking creatively when encountering obstacles in penetration testing.
Key Takeaways
Flexibility: Breaking down complex tasks into smaller parts can help bypass security mechanisms.
Adapting Techniques: When traditional methods fail, adapting and trying new approaches is crucial.
Testing Environment: Always test your scripts in a controlled environment to ensure they work as expected.
This exercise not only helped me understand AMSI and PowerShell better but also reinforced the importance of persistence and creativity in cybersecurity.