LoFP / potential for some third party applications to disable amsi upon invocation. filter as needed.

Techniques

• T1059
• T1059.001
• T1562

Sample rules

Unloading AMSI via Reflection

• source: splunk
• technicques:
  • T1562
  • T1059.001
  • T1059

Description

The following analytic detects the tampering of AMSI (Antimalware Scan Interface) via PowerShell reflection. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze suspicious PowerShell commands, specifically those involving system.management.automation.amsi. This activity is significant as it indicates an attempt to bypass AMSI, a critical security feature that helps detect and block malicious scripts. If confirmed malicious, this could allow an attacker to execute harmful code undetected, leading to potential system compromise and data exfiltration.

Detection logic

`powershell` EventCode=4104 ScriptBlockText = *system.management.automation.amsi* 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `unloading_amsi_via_reflection_filter`