Potential Antimalware Scan Interface Bypass via PowerShell

edit

Potential Antimalware Scan Interface Bypass via PowerShell

edit

Identifies the execution of PowerShell script with keywords related to different Antimalware Scan Interface (AMSI) bypasses. An adversary may attempt first to disable AMSI before executing further malicious powershell scripts to evade detection.

Rule type: query

Rule indices:

  • winlogbeat-*
  • logs-windows.*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Defense Evasion
  • PowerShell

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
event.category :"process" and
 (
  powershell.file.script_block_text :
        (System.Management.Automation.AmsiUtils or
				 amsiInitFailed or
				 Invoke-AmsiBypass or
				 Bypass.AMSI or
				 amsi.dll or
				 AntimalwareProvider  or
				 amsiSession or
				 amsiContext or
				 System.Management.Automation.ScriptBlock or
				 AmsiInitialize or
				 unloadobfuscated or
				 unloadsilent or
				 AmsiX64 or
				 AmsiX32 or
				 FindAmsiFun) or

  powershell.file.script_block_text : ("[System.Runtime.InteropServices.Marshal]::Copy" and "VirtualProtect") or

  powershell.file.script_block_text : ("[Ref].Assembly.GetType(('System.Management.Automation" and ".SetValue(")
 )

Framework: MITRE ATT&CKTM