From 8ecf167e85f79b7ac24fcfa5e5f3a136c07b0670 Mon Sep 17 00:00:00 2001
From: yt0ng <38029682+yt0ng@users.noreply.github.com>
Date: Fri, 17 Aug 2018 18:26:04 +0200
Subject: [PATCH] Powershell AMSI Bypass via .NET Reflection

[Ref].Assembly.GetType('http://System.Management .Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

seen in recent activity https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120
---
 .../sysmon/sysmon_powershell_AMSI_bypass.yml  | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 rules/windows/sysmon/sysmon_powershell_AMSI_bypass.yml

diff --git a/rules/windows/sysmon/sysmon_powershell_AMSI_bypass.yml b/rules/windows/sysmon/sysmon_powershell_AMSI_bypass.yml
new file mode 100644
index 00000000..9803e1b0
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_powershell_AMSI_bypass.yml
@@ -0,0 +1,24 @@
+title: Powershell AMSI Bypass via .NET Reflection  
+status: experimental
+description: Detects Request to amsiInitFailed that can be used to disable AMSI Scanning
+references:
+    - https://twitter.com/mattifestation/status/735261176745988096
+    - https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120
+author: Markus Neis
+date: 2018/08/17
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        EventID: 1
+        CommandLine:
+            - '*System.Management.Automation.AmsiUtils*'
+    selection2:
+        CommandLine:
+            - '*amsiInitFailed*'            
+    condition: selection1 and selection2
+    falsepositives:
+    - Potential Admin Activity 
+level: high
+