AMSI stands for Anti-Malware Scan Interface and it is another feature of Windows Defender for detecting malicious actors. AMSI is targeted especially at malicious scripts and other less obvious/dangerous programmatic components.

AMSI can perform detection also in a heuristic way, which means that a program’s behavior is one of criteria to flag it as malicious or not. Moreover, it can perform in-memory detection by loading the AMSI module into each process memory.

Engine developed by Microsoft as a result of the file-less attacks that were starting to become more and more popular in the past, i.e., threat actors did not use to download malicious files or scripts within the file system but start working exclusively in memory.

On AMSI powered systems, any PowerShell or VBScript code, before it’s executed by the PowerShell engine, is picked up by the AMSI. The AMSI, in turn, sends it over to the antimalware solution. The anti malware solution will give a thumbs up or a thumbs down based on its signature database. If it’s a thumbs down, PowerShell will not execute that code, whether it is downloaded from the internet and run in memory or run from a script.

AMSI deeply integrates with several components of Microsoft Windows, having visibility over:

• User Account Control (UAC) at the time of elevation of EXE,COM, MSI or ActiveX installation.
• PowerShell scripts, interactive use and dynamic code evaluation.
• Windows Script Host (wscript.exe and cscript.exe)
• JavaScript and VBScript
• Office VBA Macros
• NET starting from Framework 4.8 on Windows

<aside> ⚠️

So if you are using a Command & Control Framework's payload and are mainly running BOF's or COFF's from there, you will never need to bypass AMSI at all. If you do implement a bypass in your loader, you will only increase the IoCs and the likelihood of being detected by that bypass attempt. It's always better to leave out bypasses unless you really need them!

On the other hand, if you want to run known malicious and unobfuscated public tools, e.G. from GitHub in any of the above languages, or reuse code from them in your own tools, you will need to bypass AMSI to get those tools to run. Are you going to execute GitHub Scripts via Invoke-Expression in Powershell? Are you loading a .NET assembly via assembly::load()? Creating malicious office macros? Loading Scripts into memory via mshta.exe, cscript.exe? or wscript.exe? You will likely need an AMSI bypass.

</aside>

AMSI Architecture

In the Antivirus provider layer, you can use either Windows Defender or third-party solutions.

How works?

Assuming for example that a powershell.exe process is opened, the AMSI.dll library is automatically injected into the opened process. Every time a command is executed or a module is loaded into powershell.exe, AMSI sends it to the antimalware engine that checks and validates or not that command for execution.

To check “is this data malicious”, PowerShell (or whatever other process chooses to utilize it) needs to specifically ask AMSI to go do its thing. This functionality is provided by amsi.dll. Thus we can tell if a program potentially uses AMSI by the presence of this DLL in its loaded modules.