Advice Request AMSI PowerShell Basic Test

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.
5

509322

Thread author
Invoke-Mimikatz.ps1

1. Copy-paste into Administrator PowerShell > blocked from running in-memory (NOTE reference to detection via AMSI)

Cap3.PNG


Cap2.PNG


2. Right-click > Run as administrator > blocked upon access (NOTE no reference to AMSI)

Cap4.PNG


3. Double-click on Desktop > blocked upon access (NOTE no reference to AMSI)

Cap5.PNG


NOTE the difference signatures, dependent upon how executed.

Cap1.PNG
 
  • Like
Reactions: silversurfer, In2an3_PpG, Andy Ful and 5 others
E

Eddie Morra

Thread author
shmu26 said:
So it looks like even Windows Defender doesn't know how to implement AMSI right.
Click to expand...
Microsoft's Windows Defender Team are the only team which know exactly how to implement AMSI properly along with having access to all of the knowledge on what can go wrong and what will or won't trigger it... unless you reverse-engineer everything and even then you may have missed something.

Microsoft intentionally withhold documentation and it causes third-parties to become confused. This can lead to improper implementations which are unreliable and unstable in the long-run and cause an unknown number of issues. It's Microsoft's fault. The public documentation may as well not exist at all in its current state because it's absolutely atrocious - it isn't very descriptive at all and this isn't helpful on any level.

It's a pathetic state of affairs.

Anyway... here is some information from me that may help you guys. Note, this information is from my own experience and may be inaccurate for Windows Defender's case specifically (since I do not have Windows Defender insider knowledge).

1. When you open PowerShell yourself, that triggers AMSI. When you try to execute any scripts by typing/copy-pasting and entering them, that also triggers AMSI.

2. If you open a PowerShell script from a file and then it loads in PowerShell, this will trigger AMSI as well. The same as #1 will trigger AMSI.

However, Windows Defender also supports on-execution scanning, and if PowerShell is included for this... then this will happen before AMSI can be triggered (because it'd be before PowerShell actually tries to execute the script - AMSI doesn't let you scan the original script, it scans the interpreters version which means obfuscation is also defeated).

Therefore, I suspect what is going on here is the normal Windows Defender scanning engine is identifying the PowerShell script for the non-AMSI detection's. At this point, AMSI scanning probably hasn't even been included for that session unless PowerShell has actually tried to execute the script, since it'd be scanning earlier before this point. The first test which had the AMSI detection would have triggered AMSI but it wouldn't have triggered the normal Windows Defender scanning engines (e.g. for on-execution).
 
  • Like
Reactions: harlan4096, Andy Ful, In2an3_PpG and 2 others
E

Eddie Morra

Thread author
Vendula Kubová said:
Therefore, I suspect what is going on here is the normal Windows Defender scanning engine is identifying the PowerShell script for the non-AMSI detection's. At this point, AMSI scanning probably hasn't even been included for that session unless PowerShell has actually tried to execute the script, since it'd be scanning earlier before this point. The first test which had the AMSI detection would have triggered AMSI but it wouldn't have triggered the normal Windows Defender scanning engines (e.g. for on-execution).
Click to expand...
This makes more sense when you take into account that the AMSI detection for the "Affected Items" isn't referencing the file-name of the PowerShell script (e.g. "C:\Users\Lockdown\Desktop\Test.ps1" and "C:\Users\Lockdown\Desktop\Invoke-Mimikatz.ps1").

I am pretty sure that such information isn't provided through AMSI because you won't be told the file path to the script on-disk, you are just handed the script (e.g. in a stream) to scan it yourself when you're acting as a provider for scanning objects. At-least, I've not yet seen such information provided via IAntimalwareProvider yet... then again, the documentation is incredibly small and simple, so who knows.

However, for things like on-execution scanning, Windows Defender would indeed be aware of such information (e.g. the location of the object on the file-system) because obviously such information would be vital for the normal scanning engine to intervene.

Windows Defender has on-execution scanning support from kernel-mode the same way other vendors do. They use kernel-mode callbacks like PsSetCreateProcessNotifyRoutine/Ex among others... and also have file-system monitoring support the same way other vendors do through interacting with the Filter Manager (fltMgr.sys) with FltRegisterFilter.

That being said, in the last test from the original post, the "\Device\HarddiskVolume4\..." formatting indicates the information came from a kernel-mode callback as part of an on-access/on-execution implementation. The formatting isn't DOS like in user-mode (and AMSI is user-mode based).
 
  • Like
Reactions: harlan4096, Andy Ful, In2an3_PpG and 1 other person
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Vendula Kubová said:
Microsoft's Windows Defender Team are the only team which know exactly how to implement AMSI properly along with having access to all of the knowledge on what can go wrong and what will or won't trigger it... unless you reverse-engineer everything and even then you may have missed something.

Microsoft intentionally withhold documentation and it causes third-parties to become confused. This can lead to improper implementations which are unreliable and unstable in the long-run and cause an unknown number of issues. It's Microsoft's fault. The public documentation may as well not exist at all in its current state because it's absolutely atrocious - it isn't very descriptive at all and this isn't helpful on any level.

It's a pathetic state of affairs.

Anyway... here is some information from me that may help you guys. Note, this information is from my own experience and may be inaccurate for Windows Defender's case specifically (since I do not have Windows Defender insider knowledge).

1. When you open PowerShell yourself, that triggers AMSI. When you try to execute any scripts by typing/copy-pasting and entering them, that also triggers AMSI.

2. If you open a PowerShell script from a file and then it loads in PowerShell, this will trigger AMSI as well. The same as #1 will trigger AMSI.

However, Windows Defender also supports on-execution scanning, and if PowerShell is included for this... then this will happen before AMSI can be triggered (because it'd be before PowerShell actually tries to execute the script - AMSI doesn't let you scan the original script, it scans the interpreters version which means obfuscation is also defeated).

Therefore, I suspect what is going on here is the normal Windows Defender scanning engine is identifying the PowerShell script for the non-AMSI detection's. At this point, AMSI scanning probably hasn't even been included for that session unless PowerShell has actually tried to execute the script, since it'd be scanning earlier before this point. The first test which had the AMSI detection would have triggered AMSI but it wouldn't have triggered the normal Windows Defender scanning engines (e.g. for on-execution).
Click to expand...
So in simple language, in the last 2 tests Windows Defender standard detection caught the malicious script before AMSI, and that's why we don't see an AMSI detection?
 
  • Like
Reactions: Andy Ful, In2an3_PpG and Eddie Morra
E

Eddie Morra

Thread author
shmu26 said:
So in simple language, in the last 2 tests Windows Defender standard detection caught the malicious script before AMSI, and that's why we don't see an AMSI detection?
Click to expand...
That is what I suspect, yes.

Try and see if the same scripts which were blocked without the AMSI detection name are blocked by Windows Defender on Windows 8.1 as well... that might be an easy way to confirm without reverse-engineering. Since Windows 8.1 doesn't have AMSI, it's a Windows 10-only feature.
 
  • Like
Reactions: Andy Ful, shmu26 and In2an3_PpG
Status
Not open for further replies.

Similar threads

Gandalf_The_Grey
    • Like
    • +Reputation
    • Applause
AV-TEST Fending off Ransomware even Against State-of-the-art Attack Techniques
Replies
17
Views
1,685
Security Statistics and Reports
NormanF
N
Guilhermesene
    • Like
    • Applause
Hot Take [Tutorial] Update Kaspersky when starting the system automatically
Replies
9
Views
729
Kaspersky
Jonny Quest
Jonny Quest
Gandalf_The_Grey
    • Like
AV-Comparatives Advanced Threat Protection Test 2023 – Consumer
Replies
0
Views
451
Security Statistics and Reports
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top