Cybercriminals and security researchers looking to bypass Microsoft’s Antimalware Scan Interface (AMSI) usually go for one of four commonly-used methods, analysis from cybersecurity analysts at Sophos has shown.
AMSI is Microsoft’s “anti-malware traffic cop”, as Sophos describes it, enabling software to scan files, memory or streams for malicious code, regardless of the software vendor.
With AMSI, antivirus programs get to analyze Microsoft components and applications such as PowerShell engine and script hosts, Office document macros (one of the most popular methods of spreading malicious code among workers), .NET Framework components, or Windows Management Instrumentation (WMI) components.
Sophos says there are four key ways hackers (both malign and benign) usually bypass AMSI: either with PowerShell code (an old, but incredibly prevalent method), by messing with the code of the AMSI library that’s already loaded into memory (more than 98% of the bypass attempts focus on this method), by loading a counterfeit version of amsi.dll, or by downgrading scripting engines to versions older than AMSI.
AMSI hacks
While these are the four most prevalent methods, Sophos says there are others that also revolve around “staying away from processes that interact with AMSI”. In some extreme cases, such as the Ragnar Locker one, attackers brought entire virtual machines to hide their scripts from being detected.
One of AMSI’s main goals is to defend its premises from living-off-the-land (LOL) tactics that use Microsoft’s own components, as well as to help developers strengthen the cybersecurity posture of their own tools, the researchers are saying.
Ransomware’s increasing popularity has made AMSI super important in keeping Windows 10 and Windows Server systems secure.
“But AMSI is not a panacea,” Sophos concludes. It’s a great addition to anyone’s cybersecurity arsenal, but “a defense in depth”, that leverages a blend of detections at the endpoint and on the network, is crucial in safeguarding one’s premises.
