IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
Elastic Docs Elastic Security Solution [8.4] Downloadable rule update v8.4.3
« Suspicious Antimalware Scan Interface DLL Code Signing Policy Modification Through Built-in tools »

Potential Antimalware Scan Interface Bypass via PowerShelledit

Identifies the execution of PowerShell script with keywords related to different Antimalware Scan Interface (AMSI) bypasses. An adversary may attempt first to disable AMSI before executing further malicious powershell scripts to evade detection.

Rule type: query

Rule indices:

  • winlogbeat-*
  • logs-windows.*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Defense Evasion
  • PowerShell

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule queryedit

event.category :"process" and
 (
  powershell.file.script_block_text :
        (System.Management.Automation.AmsiUtils or
				 amsiInitFailed or
				 Invoke-AmsiBypass or
				 Bypass.AMSI or
				 amsi.dll or
				 AntimalwareProvider  or
				 amsiSession or
				 amsiContext or
				 System.Management.Automation.ScriptBlock or
				 AmsiInitialize or
				 unloadobfuscated or
				 unloadsilent or
				 AmsiX64 or
				 AmsiX32 or
				 FindAmsiFun) or

  powershell.file.script_block_text : ("[System.Runtime.InteropServices.Marshal]::Copy" and "VirtualProtect") or

  powershell.file.script_block_text : ("[Ref].Assembly.GetType(('System.Management.Automation" and ".SetValue(")
 )

Framework: MITRE ATT&CKTM

« Suspicious Antimalware Scan Interface DLL Code Signing Policy Modification Through Built-in tools »