In-Memory Detections

The Antimalware Scan Interface (AMSI) is a component of Windows which allows applications to integrate themselves with an antivirus engine by providing a consumable, language agnostic interface. It was designed to tackle "fileless" malware that was so heavily popularised by tools like the EmpireProject, which leveraged PowerShell for complete in-memory C2.

\

\

Any 3rd party application can use AMSI to scan user input for malicious content. Many Windows components now also use AMSI including PowerShell, the Windows Script Host, JavaScript, VBScript and VBA. If we try to execute one of the PowerShell payloads on our attacking machine, it will get blocked.

PS C:\Users\Attacker> C:\Payloads\smb_x64.ps1
At C:\Payloads\smb_x64.ps1:1 char:1
+ Set-StrictMode -Version 2
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.

\

The alert that Defender produces is tagged with amsi: rather than file:, indicating that something malicious was detected in memory.

\

\

And attempting to move laterally to the file server will also fail.

beacon> jump winrm64 fs.dev.cyberbotic.io smb
[-] Could not connect to pipe: 2 - ERROR_FILE_NOT_FOUND

\

Even though this is in-memory, the detections are still based on "known bad" signatures. PowerShell files are a little easier to analyse compared to binary files - scanning it with ThreatCheck and the -e AMSI parameter, we see the bad strings.

PS C:\Users\Attacker> C:\Tools\ThreatCheck\ThreatCheck\bin\Debug\ThreatCheck.exe -f C:\Payloads\smb_x64.ps1 -e AMSI
[+] Target file size: 358025 bytes
[+] Analyzing...
[!] Identified end of bad bytes at offset 0x57450
00000000   4D 6A 49 79 4D 6A 49 79  4D 6A 49 79 4D 6A 49 79   MjIyMjIyMjIyMjIy
00000010   4D 6A 49 79 4D 6A 49 79  4D 6A 49 79 4D 6A 49 79   MjIyMjIyMjIyMjIy
00000020   4D 6A 49 79 4D 6A 49 79  4D 6A 49 79 4D 6A 49 79   MjIyMjIyMjIyMjIy
00000030   4D 6A 49 79 4D 6A 49 79  4D 6A 49 79 4D 6A 49 79   MjIyMjIyMjIyMjIy
00000040   4D 6A 49 79 4D 6A 49 79  4D 6A 49 79 4D 6A 49 79   MjIyMjIyMjIyMjIy
00000050   4D 6A 49 79 4D 6A 49 79  4D 6A 49 79 4D 6A 49 79   MjIyMjIyMjIyMjIy
00000060   4D 6A 49 79 4D 6A 49 79  4D 6A 49 79 4D 6A 49 79   MjIyMjIyMjIyMjIy
00000070   4D 6A 49 79 4D 6A 49 79  4D 6A 49 79 4D 6A 49 79   MjIyMjIyMjIyMjIy
00000080   4D 6A 49 79 4D 6A 49 79  4D 6A 49 79 4D 6A 49 79   MjIyMjIyMjIyMjIy
00000090   4D 6A 49 79 4D 6A 49 79  4D 6A 49 79 4D 6A 49 79   MjIyMjIyMjIyMjIy
000000A0   4D 6A 49 79 4D 6A 49 77  3D 3D 27 29 0A 0A 09 66   MjIyMjIw==')···f
000000B0   6F 72 20 28 24 78 20 3D  20 30 3B 20 24 78 20 2D   or ($x = 0; $x -
000000C0   6C 74 20 24 76 61 72 5F  63 6F 64 65 2E 43 6F 75   lt $var_code.Cou
000000D0   6E 74 3B 20 24 78 2B 2B  29 20 7B 0A 09 24 76 61   nt; $x++) {··$va
000000E0   72 5F 63 6F 64 65 5B 24  78 5D 20 3D 20 24 76 61   r_code[$x] = $va
000000F0   72 5F 63 6F 64 65 5B 24  78 5D 20 2D 62 78 6F 72   r_code[$x] -bxor

[*] Run time: 3.13s

\

Where the Artifact Kit was used to modify the binary (EXE & DLL) payloads; the Resource Kit is used to modify the script-based payloads including the PowerShell, Python, HTA and VBA templates.