Preventing an AMSI bypass with PowerShell Protect
August 29, 2020
With version 1.2 of PowerShell Protect, you can now prevent an AMSI bypass using a new, custom condition for checking for signs of this attack taking place.
About the AMSI Bypass
The AMSI bypass technique works by loading the AMSI.dll into memory using some P\Invoke function calls and then using the
Marshal class to manipulate and patch memory for the loaded DLL. This effectively renders AMSI inoperable.
You can read more about the AMSI bypass technique here.
Detecting and Blocking an AMSI Bypass
PowerShell Protect now comes with a special condition for checking for the execution of this bypass. If a caller starts to do things like load the
AMSI.dll or play with the memory of the process, PowerShell Protect will match this condition and you can choose to audit or block the action.
The rule is very simple since you do not need to setup the conditions yourself.
<Rule> <Conditions> <Condition> <Property>AmsiBypass</Property> </Condition> </Conditions> <Actions> <ActionRef> <Name>Block</Name> </ActionRef> </Actions> </Rule>
The result is a block of the bypass.
Simplifying Logging Bypass Detection
Another note is that we’ve also simplified the ability to detect and configure the module and script block logging bypasses in PowerShell Protect 1.2. You can now use the
<Rule> <Conditions> <Condition> <Property>LoggingBypass</Property> </Condition> </Conditions> <Actions> <ActionRef> <Name>Block</Name> </ActionRef> </Actions> </Rule>
Get started today
You can download PowerShell Protect from the PowerShell Gallery.