AMSI Bypass Pattern Assembly GetType

About the rule

Rule Type

Standard

Rule Description

Antimalware Scan Interface (AMSI) is a Windows component that enables applications to integrate with anti-malware software, allowing the scanning of scripts and files for malware before execution. AMSI typically uses signature-based detection to identify PowerShell scripts exhibiting malicious patterns. To bypass AMSI, attackers often obfuscate malicious PowerShell scripts by breaking the code into multiple fragments or patterns, making it harder for AMSI to detect. These fragmented pieces are then dynamically assembled and executed at runtime, effectively evading AMSI detection. This rule detects such fragmented and dynamically assembled code executions that are designed to bypass AMSI pattern detection.

Severity

Trouble

Rule journey

Attack chain scenario

Initial Access → Execution → PowerShell script execution → Defense Evasion → Impair Defenses → Disable or Modify Tools → Impact

Impact

• System compromise
• Defense evasion
• Malware execution

Rule Requirement

Prerequisites

Logon to Group Policy Management Console with administrative privileges and enable Module Logging for Windows PowerShell in the Group Policy Management Editor. Ensure to enter * in the Module Names window to record all modules. Similarly enable PowerShell Script Block Logging for Windows PowerShell. Finally, create a new registry key "Microsoft-Windows-Powershell/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\".

(((( SCRIPTEXECUTED CONTAINS ""[ref].assembly.gettype"" ) AND( SCRIPTEXECUTED CONTAINS ""setvalue($null)"" ) AND( SCRIPTEXECUTED CONTAINS ""$true"" ) AND( SCRIPTEXECUTED CONTAINS ""nonpublic"" ) AND( SCRIPTEXECUTED CONTAINS ""static"" ) )))

This rule is triggered when the executed script contains the following suspicious elements:

• [ref].assembly.gettype: A reflection method used to dynamically access .NET types at runtime.
• setvalue($null): A method call to set internal fields or properties to null, potentially disabling security checks.
• $true: A parameter used to enable flags related to bypass mechanisms.
• nonpublic: Refers to private members of a class, typically the internal AMSI components.
• static: Refers to static members that are targeted to modify AMSI behavior.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: Impair Defenses - Disable or Modify Tools (T1562.001)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.

When this rule is triggered, you're notified of a PowerShell script execution involving the Assembly.GetType reflection. This enables you to monitor runtime environments like PowerShell, detect obfuscated code in PowerShell scripts, and restrict applications from using reflection or dynamic code execution that bypasses AMSI."

Author

Florian Roth (Nextron Systems)

Future actions

Known False Positives

This rule might be triggered when legitimate applications use the Assembly.GetType reflection for loading plugins or to inject dependencies

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Audit PowerShell executions: Continuously monitor PowerShell activities, flag obfuscated PowerShell scripts, and restrict dynamic script executions that bypass AMSI.

Mitigation