Ghosting AMSI: Cutting RPC to Disarm AV
By hijacking NdrClientCall3, this technique bypasses AMSI by intercepting RPC calls, making AV scans ineffective without patching AMSI.
https://medium.com/@andreabocchetti88/ghosting-amsi-cutting-rpc-to-disarm-av-04c26d67bb80
#AMSIBypass #RPCExploitation
Ghosting AMSI: Cutting RPC to disarm AV - Andrea Bocchetti - Medium
In this post, we explore how to bypass AMSI’s scanning logic by hijacking the RPC layer it depends on — specifically the NdrClientCall3 stub used to invoke remote AMSI scan calls. This technique…
kriware 