patch Antimalware Scan Interface function

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: patch Antimalware Scan Interface function
    namespace: anti-analysis/anti-av
    authors:
      - jakub.jozwiak@mandiant.com
    scopes:
      static: function
      dynamic: span of calls
    att&ck:
      - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
    mbc:
      - Defense Evasion::Disable or Evade Security Tools [F0004]
    references:
      - https://fluidattacks.com/blog/amsi-bypass/
    examples:
      - edb92795c06a2bde47e652639327253a1148ee675ba2f0d1d9ac8690ef1820b1:0x14001126C
  features:
    - and:
      - match: change memory protection
      - or:
        - string: "AmsiScanBuffer"
        - string: "AmsiScanString"
      - optional:
        - match: write process memory
        - string: "amsi.dll"

last edited: 2025-01-29 09:27:13