Antimalware Scan Interface Bypasses: Evading Detection to Perform Post Exploitation Activities

During red team engagements and penetration tests, one of the initial challenges that

penetration testers and red teamers must overcome is the antimalware scan interface

(AMSI) integrated with most endpoint security solutions. AMSI was designed to add a

layer of defense to Windows operating systems by analyzing and preventing the

execution of malicious files. AMSI presents a challenge to penetration testers and red

teamers as many of the tools utilized to conduct offensive engagements are detected by

AMSI as malicious files. Since the introduction of AMSI, public releases of AMSI

bypass techniques have been temporarily successful. AMSI is periodically updated with

signatures to identify malicious files and to address well-known bypass techniques. This

research analyzes how AMSI works, and the techniques red teamers and penetrations

testers leverage to develop new AMSI bypass techniques to conduct post-exploitation

activities.