AMSI Bypass

Name: AMSI Bypass
Uploaded: Dec 23, 2024
Duration: 2561 s

hexdump31.6K subscribers

2.3K views

Dec 23, 2024

42:41

Hi there, and welcome to this new video in which we continue the "Windows Privilege Escalation" series! In this episode we look at the Windows Antimalware Scan Interface (AMSI), which is used in the context of Windows to trigger security scans. AMSI provides a standard interface that allows solutions to scan files, memory, and other data for threats. The AMSI bypass technique can be used to disable such mechanism. This, by itself, does not make our payloads evade antivirus directly, but it makes them avoid arising suspicious in the context of well known processes such as powershell. This is just a very tiny and introductory topic within the bigger context of AV EDR evasion and bypass techniques. Also, just to be clear, the objective of this video is not to showcase payloads that can be used against real systems in red teaming activities, as that is outside the scope of the series. The video instead wants to build understanding regarding AMSI. As always, I hope you find the video helpful, and I would appreciate if you leave your feedback down in the comments, and share this series with like-minded people. Thank you very much! ------------------------- TIMESTAMP 00:00 Introduction 03:20 What is an Antivirus? 13:00 and in Windows? 15:10 Windows Antimalware Scan Interface (AMSI) 21:12 AMSI Bypass 24:55 First Bypass 38:22 Second Bypass 40:30 Conclusion ------------------------- REFERENCES - Material: https://github.com/LeonardoE95/yt-en/tree/main/src/2024-12-23-windows-privesc-amsi-bypass - Review of Known AMSI Bypass Techniques and Introducing a New One: https://www.youtube.com/watch?v=8y8saWvzeLw - One-liner to bypass the AMSI in a Powershell: https://arttoolkit.github.io/wadcoms/AMSI-Bypass-amsiContext/ - Amsi Bypass Powershell: https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell?tab=readme-ov-file#Forcing-an-error - All methods to bypass AMSI (2022): https://gist.github.com/D3Ext/bf57673644ba08e729f65892e0dae6c4 ------------------------- CONTACTS - Blog: https://blog.leonardotamiano.xyz/ - Github: https://github.com/LeonardoE95?tab=repositories - Support: https://www.paypal.com/donate/?hosted_button_id=T49GUPRXALYTQ

Download

0 formats

No download links available.