AMSI Byepass/Disable
#1
Hi, 
I was researching about macro exploit, how it works? 
They embed PowerShell, VbScript , etc in macro document to run the malicious commands on target's device.

[Image: rdP7Ngg.png]


here are some good articles that i found: 
https://www.cyberark.com/resources/threa...-technique
https://www.cyberark.com/resources/threa...pass-redux

"One way that seemed an intuitive way of evading AMSI was to patch out exported functions from AMSI.dll, the library responsible for gluing together Defender and PowerShell.

patch “amsi.dll”’s exported function “AmsiScanBuffer”, which is invoked from PowerShell as a way to check if a command is malicious. By modifying the function body by injecting our own assembly code, we can create a small stub which will always return a code indicating that a command is non-malicious."

Does this method still works or any new-method ?
Reply
#2
Not sure if the method is still viable, however you'd need a ROPGadget to patch the DLL in question on target.

Like the article you linked suggests, best way to go about that is through running inline C# code through PowerShell, specifically a module you can load. So then the question becomes, how to get the module on target. Dropper code as a Word Macro will work. But unless you have a custom, PowerShell payload you designed for the system you are targeting during the specific engagement in which you would use this AMSI bypass technique. Why make it more complicated than it has to be? You could always use Nishang, which comes with a script for AMSI bypass as well.

So whether the technique you asked about is viable or not. It is in essence a question of whether there is a specific reason for you to go through all the trouble of setting up this complete attack chain, or not.

If you are interested in ROPGadgets generally, i suggest you give this article a read.
Reply
#3
got it. Thanks for the good advice! I appreciate it.
Reply
#4
Hi guys,

I'm really interested by the technicals, but I really need to figure this out.
Thank you for the tips!
Reply