Preventing an AMSI bypass with PowerShell Protect

Protect AMSI Security

August 29, 2020

With version 1.2 of PowerShell Protect, you can now prevent an AMSI bypass using a new, custom condition for checking for signs of this attack taking place.

About the AMSI Bypass

The AMSI bypass technique works by loading the AMSI.dll into memory using some P\Invoke function calls and then using the Marshal class to manipulate and patch memory for the loaded DLL. This effectively renders AMSI inoperable.

You can read more about the AMSI bypass technique here.

Detecting and Blocking an AMSI Bypass

PowerShell Protect now comes with a special condition for checking for the execution of this bypass. If a caller starts to do things like load the AMSI.dll or play with the memory of the process, PowerShell Protect will match this condition and you can choose to audit or block the action.

The rule is very simple since you do not need to setup the conditions yourself.

    <Rule>
        <Conditions>
            <Condition>
                <Property>AmsiBypass</Property>
            </Condition>
        </Conditions>
        <Actions>
            <ActionRef>
                <Name>Block</Name>
            </ActionRef>
        </Actions>
    </Rule>

The result is a block of the bypass.

Simplifying Logging Bypass Detection

Another note is that we’ve also simplified the ability to detect and configure the module and script block logging bypasses in PowerShell Protect 1.2. You can now use the LoggingBypass condition.

    <Rule>
        <Conditions>
            <Condition>
                <Property>LoggingBypass</Property>
            </Condition>
        </Conditions>
        <Actions>
            <ActionRef>
                <Name>Block</Name>
            </ActionRef>
        </Actions>
    </Rule>

Get started today

You can download PowerShell Protect from the PowerShell Gallery.

Install-Module PowerShellProtect