HabrFeb 11

Эволюция загрузки вредоносных файлов или как хакеры перешли из файловой системы в оперативную память

Стандартная обфускация больше не спасает от систем защиты. Сегодня битва за скрытность идет на уровне системных вызовов и манипуляций с библиотеками в реальном времени. В этой статье мы проследим динамику развития обходов: от классического патчинга AMSI до современных методов уклонения от EDR.

https://habr.com/ru/companies/hex_team/articles/995320/

#amsi #amsi_bypass #EDR #пентест #обход_защиты #вредоносное_по #Загрузка_в_память

Эволюция загрузки вредоносных файлов или как хакеры перешли из файловой системы в оперативную память

Стандартная обфускация больше не спасает от систем защиты. Сегодня битва за скрытность идет на уровне системных вызовов и манипуляций с библиотеками в реальном времени. В этой статье мы проследим...

Хабр
Alexandre Cheron Oct 23
Bypass AMSI in 2025 #AMSI https://www.r-tec.net/r-tec-blog-bypass-amsi-in-2025.html
r-tec Blog | Bypass AMSI in 2025

This blog post will shed some light on what's behind AMSI (roughly, but hopefully easy to understand) and how you can still effectively bypass it - more than four years later.

kriware May 2, 2025

Bypassing AMSI with Dynamic API Resolution in PowerShell

Demonstrates bypassing AMSI by resolving WinAPI functions at runtime in PowerShell, evading static AV detection.

https://rootfu.in/bypassing-amsi-with-dynamic-api-resolution-in-powershell/

#amsi

Bypassing AMSI with Dynamic API Resolution in PowerShell - ROOTFU.IN

function LookupFunc { Param ($moduleName, $functionName) $assem = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1]. Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') $tmp=@() $assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}} return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null, @($moduleName)), $functionName)) } function getDelegateType { Param ( [Parameter(Position = 0, Mandatory = $True)] [Type[]] $func, [Parameter(Position = 1)] [Type] $delType = [Void] ) $type = [AppDomain]::CurrentDomain.

ROOTFU.IN -
MrZero00Apr 26, 2025
AMSI Bypass via RPC Hijack (NdrClientCall3) This technique exploits the COM-level mechanics AMSI uses when delegating scan requests to antivirus (AV) providers through RPC. By hooking into the NdrClientCall3 function—used internally by the RPC runtime to marshal and dispatch function calls—we intercept AMSI scan requests before they're serialized and sent to the AV engine. #amsi #windows #cybersecurity
kriware Mar 1, 2025

Bypass AMSI in 2025

This article explores the current state of the Antimalware Scan Interface (AMSI) and effective methods to bypass it as of 2025.

https://www.r-tec.net/r-tec-blog-bypass-amsi-in-2025.html

#amsi #bypass

r-tec Blog | Bypass AMSI in 2025

This blog post will shed some light on what's behind AMSI (roughly, but hopefully easy to understand) and how you can still effectively bypass it - more than four years later.

BLu3f0<x>May 6, 2024

https://www.offsec.com/offsec/amsi-write-raid-0day-vulnerability/?utm_campaign=Technical%20Blog&utm_content=291954772&utm_medium=social&utm_source=twitter&hss_channel=tw-134994790

#amsi #exploit #windows

AMSI Write Raid Bypass Vulnerability | OffSec

In this blog post, we'll introduce a new bypass technique designed to bypass AMSI without the VirtualProtect API and without changing memory protection.

OffSec
bobby_tablezDec 22, 2023

I just discovered an interesting #AMSI bypass which uses a massive amount of overlapping Unicode characters. Apparently if you append a few hundred before and after a known malicious command (such as an AMSI bypass, or "Invoke-Mimikatz"), AMSI either crashes or ignores the #PowerShell code in between the odd code blobs.

The best part is that the code doesn't even need to be obfuscated! Tested this on Windows 10/11 and Server installs with success.

Link to a gist with the bypass in the comments

Nadiah KristensenJul 26, 2023

📽️ Prof. Hugh Possingham's public lecture on how mathematics can inform policy - or not 🐠🐟 is now available on our YouTube channel

🍿 Watch now: http://youtu.be/W7LBc8eZ3Yg

#AMSI #conservation #policy #Australia #mathematics #AMSIWinterSchool #HugePossum

"How Mathematics Can Inform Policy – Or Not", Public Lecture by Professor Hugh Possingham

YouTube
Show threadNadiah KristensenJul 14, 2023

#AMSI Winter School at QUT, #Brisbane has finished! What an excellent 2 weeks that was. I learned about #fisheries #modelling, model sloppiness, and reinforcement learning, and I got to share evolutionary game theory with a bunch of enthusiastic students.

(The photo I took on the way back to the hotel)

Show threadNadiah KristensenJul 13, 2023

Prof Hugh Possingham is giving the public lecture this evening about #mathematics and if it makes a difference to #conservation #policy

#HugePossum #AMSI #UQ #QUT