rule:
meta:
name: patch Antimalware Scan Interface function
namespace: anti-analysis/anti-av
authors:
- jakub.jozwiak@mandiant.com
scopes:
static: function
dynamic: span of calls
att&ck:
- Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
mbc:
- Defense Evasion::Disable or Evade Security Tools [F0004]
references:
- https://fluidattacks.com/blog/amsi-bypass/
- https://medium.com/@s12deff/amsi-patching-using-amsiopensession-9d31df8237a8
- https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
examples:
- edb92795c06a2bde47e652639327253a1148ee675ba2f0d1d9ac8690ef1820b1:0x14001126C
- 7cd03db8ed91a66920cc03026baa2df2a8370293b072218b9fbf6d9a21cad66b:0x180004EB0
features:
- and:
- match: change memory protection
- or:
- string: "AmsiScanBuffer"
- string: "AmsiScanString"
- string: "AmsiOpenSession"
- string: "AmsiInitialize"
- optional:
- match: write process memory
- string: "amsi.dll"
- string: "amsi"
last edited: 2025-08-13 14:39:59