Runtime Detections -CLR(common language runtime) and DLR(dynamic lanuage runtime) - runtimes for .NET -executing code or application flows through a runtime -runtime detection will scan code before execution to determine if malicious -if code is suspected of being malicious it is assigned a value -if that value is within a specific range it will be quarantined or deleted -scan from memory and runtime -AMSI(anti-malware can interface) - shipped natively with windows
AMSI overview -powershell security feature - integrate directly into anti-malware products -scan payloads and scripts before execution inside the .NET runtime -integrated with UAC, powershell, windows script host, javascript, vbscript, office vba macros
AMSI_RESULT_CLEAN = 0 AMSI_RESULT_NOT_DETECTED = 1 AMSI_RESULT_BLOCKED_BY_ADMIN_START = 16384 AMSI_RESULT_BLOCKED_BY_ADMIN_END = 20479 AMSI_RESULT_DETECTED = 32768
-AMSI instrumented from System.Management.Automation.dll - .NET assembly developed by Windows -AMSI is only insturmented when loaded from memory when executed from the common langauge runtime -Windows Defender (MsMpEng.exe) - assumed to be running -most known bypasses are in Win32 API layer in AmsiScanBuffer API call -insecure powershell: PowerShell with security features removed
Powershell Downgrade -powershell downgrade attack - low-hanging fruit- modify current powershell version to remove security features Powershell -Version 2 -(eg Unicorn) -easy to mitigate
steps: →run cmd PowerShell -Version 2 cd Desktop type flag.txt
PowerShell Reflection -Reflection - allows user or admin to access and interact with .NET assemblies -.NET assmeblies: fundamental units of deployment, version control, reuse, activation scoping and security permissions -PowerShell reflection can be abused to modify and identify information from valuable DLLs -AMSIutils : AMSI utilities for powershell -System.Management.Automation.AmsiUtils: .NET assembly
steps: PowerShell cd Desktop [Ref].Assembly.GetType(‘System.Management.Automation.AmsiUtils’).GetField(‘amsiInitFailed’,‘NonPublic,Static’).SetValue(true) .\bypass.ps1 type flag-1.txt
Patching AMSI -loaded from amsi.dll -amsi.dll can be abused and forced to point to a response code of choosing -AmsiScanBuffer function provides the hooks and functionality to access pointer/buffer -amsi.dll is loaded into powershell process at startup -AmsiScanBuffer will scan the suspected code and report it to amsi.dll to determine response -the buffer is then overwritten with a clean return code
Automating for Fun and Profit amsi.fail: compile and generate a PowerShell bypass from a collection of known bypasses AMSITrigger: allows attachkers to automatically identify strings that are flagging signatures to modify and break them