Detecting Windows AMSI Bypass Techniques
Tags
cmtmf-attack-pattern: Process Injection
maec-delivery-vectors: Watering Hole
attack-pattern: Data Installutil - T1218.004 Javascript - T1059.007 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Process Hollowing - T1055.012 Process Injection - T1631 Software - T1592.002 Tool - T1588.002 Installutil - T1118 Powershell - T1086 Process Hollowing - T1093 Process Injection - T1055 Windows Management Instrumentation - T1047
Show in Graph
Common Information
Type Value
UUID e43ea389-5a40-458b-a796-bb035fc3baa8
Fingerprint 69fcc8d3da59686
Analysis status DONE
Considered CTI value 0
Text language
Published Dec. 21, 2022, midnight
Added to db Oct. 15, 2024, 9:49 p.m.
Last updated Nov. 17, 2024, 5:59 p.m.
Headline Detecting Windows AMSI Bypass Techniques
Title Detecting Windows AMSI Bypass Techniques
Detected Hints/Tags/Attributes 42/3/13
Source URLs
Redirection Url
Details Source https://www.trendmicro.com/en_my/research/22/l/detecting-windows-amsi-bypass-techniques.html
Details Source https://www.trendmicro.com/en_in/research/22/l/detecting-windows-amsi-bypass-techniques.html
URL Provider
Details Provider Source level domain
Details trendmicro.com www.trendmicro.com
Attributes
Details Type #Events CTI Value
Details File 39 
amsi.dll
Details File 3 
lol.ps1
Details File 14 
reflection.bin
Details File 2 
networkservicess.exe
Details File 2 
ps1-6.exe
Details File 83 
installutil.exe
Details File 3 
xx.xml
Details IPv4 5 
89.34.27.167
Details Url 2 
http://89.34.27.167/lol.ps1
Details Url 2 
http://89.34.27.167
Details Url 2 
http://89.34.27.167/ps1-6.exe
Details Url 2 
http://89.34.27.167/xx.xml
Details Windows Registry Key 3 
HKLM\SOFTWARE\Microsoft\AMSI\Providers