ioc[.]one - OSINT Cyber Threat Intelligence Database

Detecting Windows AMSI Bypass Techniques

Tags

cmtmf-attack-pattern:	Process Injection
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Installutil - T1218.004 Javascript - T1059.007 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Process Hollowing - T1055.012 Process Injection - T1631 Software - T1592.002 Tool - T1588.002 Installutil - T1118 Powershell - T1086 Process Hollowing - T1093 Process Injection - T1055 Windows Management Instrumentation - T1047

Show in Graph

Common Information

Type	Value
UUID	77527504-b8a1-491d-bec9-abecf8db02a5
Fingerprint	69fcc8d3da59646
Analysis status	DONE
Considered CTI value	0
Text language
Published	Dec. 21, 2022, midnight
Added to db	Oct. 15, 2024, 4:45 p.m.
Last updated	Nov. 17, 2024, 5:59 p.m.
Headline	Detecting Windows AMSI Bypass Techniques
Title	Detecting Windows AMSI Bypass Techniques
Detected Hints/Tags/Attributes	42/3/13

Source URLs

	Redirection	Url
Details	Source	https://www.trendmicro.com/en_ph/research/22/l/detecting-windows-amsi-bypass-techniques.html
Details	Source	https://www.trendmicro.com/en_nl/research/22/l/detecting-windows-amsi-bypass-techniques.html
Details	Source	https://www.trendmicro.com/en_ie/research/22/l/detecting-windows-amsi-bypass-techniques.html
Details	Source	https://www.trendmicro.com/en_se/research/22/l/detecting-windows-amsi-bypass-techniques.html
Details	Source	https://www.trendmicro.com/en_gb/research/22/l/detecting-windows-amsi-bypass-techniques.html
Details	Source	https://www.trendmicro.com/en_ca/research/22/l/detecting-windows-amsi-bypass-techniques.html
Details	Source	https://www.trendmicro.com/en_dk/research/22/l/detecting-windows-amsi-bypass-techniques.html
Details	Source	https://www.trendmicro.com/en_be/research/22/l/detecting-windows-amsi-bypass-techniques.html
Details	Source	https://www.trendmicro.com/en_fi/research/22/l/detecting-windows-amsi-bypass-techniques.html

URL Provider

Details	Provider	Source level domain
Details	trendmicro.com	www.trendmicro.com

Attributes

Details	Type	#Events	CTI	Value
Details	File	39		amsi.dll
Details	File	3		lol.ps1
Details	File	14		reflection.bin
Details	File	2		networkservicess.exe
Details	File	2		ps1-6.exe
Details	File	83		installutil.exe
Details	File	3		xx.xml
Details	IPv4	5		89.34.27.167
Details	Url	2		http://89.34.27.167/lol.ps1
Details	Url	2		http://89.34.27.167
Details	Url	2		http://89.34.27.167/ps1-6.exe
Details	Url	2		http://89.34.27.167/xx.xml
Details	Windows Registry Key	3		HKLM\SOFTWARE\Microsoft\AMSI\Providers