Open in app

Sign in

Write

Sign in

AMSI Bypass

Ibrahim Khalilov
3 min readJan 13, 2023

--

Hi everybody. In this article, I will explain what AMSI (Antimalware Scan Interface) is and how to bypass it.

What is AMSI?

A feature of the Windows operating system that checks or scans AMSI scripts for malware before executing them. By default, Windows Defender communicates with the AMSI API to scan for files that can run code such as Powershell scripts, VBA macros or Javascript using Windows Script Host technology to prevent malicious command from being executed, and blocks it if it contains malicious code.

How to bypass AMSI?

There are many articles about this on the Internet, but few are up to date. I wanted to share with you the method I found as a result of my research.

We encounter an obstacle when we want to run the Invoke-Mimikatz command in Powershell. It says it’s a malicious command. So how can we overcome this?

As a result of the research that exhausted me, I found 4 lines of code and set it as a single line. To bypass, it was necessary to split strings with ‘.
Ok, now let’s try this with the Empire Framework.

The above is the auxiliary command for me to get the reverse shell.

The connection has been successfully established. Now let’s see if it can be caught in runtime.

We are able to run commands and the connection does not drop.

You can perform many scenarios over this. We can save our bypass and reverse shell script to the PS1 (PowerShell Script) file and set it as a schedule.

For example:

while ($true) {
    $w = dir
    Start-Sleep -Seconds (60*60)
}

In the while loop, the “dir” command runs every 60 minutes, that is, every 1 hour. So what happens if we run this?

Now let’s get over this.

while ($true) {
    $w = Set-ExecutionPolicy -ExecutionPolicy Unrestricted;dir
    Start-Sleep -Seconds (60*60)
}

These commands allow it to run scripts by setting the Execution Policy to “Unrestricted” using the “Set-ExecutionPolicy” command. “;” You can separate commands with .

As a result, we only need to replace the “dir” part with our codes.

It is possible to run the trailing method in the background. Just do your research :)

--

--

Ibrahim Khalilov

Written by Ibrahim Khalilov

2 Followers

Hi, my name is Ibrahim, I am interested in Cyber Security

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams