kqlElastic-2.0from elastic/detection-rules

Potential Antimalware Scan Interface Bypass via PowerShell

Quality

FP risk

—

Forks

Views

ATT&CK techniques

T1027 T1027.010 T1562 T1562.001 T1059 T1059.001

Rule sourcerules/windows/defense_evasion_amsi_bypass_powershell.toml

event.category:"process" and host.os.type:windows and
  (
    powershell.file.script_block_text : (
      "System.Management.Automation.AmsiUtils" or
			amsiInitFailed or 
			"Invoke-AmsiBypass" or 
			"Bypass.AMSI" or 
			"amsi.dll" or 
			AntimalwareProvider  or 
			amsiSession or 
			amsiContext or
			AmsiInitialize or 
			unloadobfuscated or 
			unloadsilent or 
			AmsiX64 or 
			AmsiX32 or 
			FindAmsiFun or
		    "AllocHGlobal((9076" or
		    "[cHAr](65)+[cHaR]([byTe]0x6d)+[ChaR]([ByTe]0x73)+[CHaR]([BYte]0x69"
    ) or
    powershell.file.script_block_text:("[Ref].Assembly.GetType(('System.Management.Automation" and ".SetValue(") or
    powershell.file.script_block_text:("::AllocHGlobal((" and ".SetValue(" and "-replace" and ".NoRMALiZe(")
  ) and
  not powershell.file.script_block_text : (
    "sentinelbreakpoints" and "Set-PSBreakpoint"
  )