In an investigation into techniques used to either avoid or disable AMSI, Sophos researchers said on Wednesday that threat actors will try everything from living-off-the-land tactics to fileless attacks.
Perhaps the opportunities AMSI bypass represents were highlighted in a tweet by security expert Matt Graeber in 2016, in which Sophos says a single line of code flipped a PowerShell attribute for AMSI integration and, in theory, may have stopped PowerShell-based processes from requesting scans.
While now integrated and flagged as malicious now for years, malware developers have taken inspiration from the one-line AMSI bypass and variations are still in use today that have been obfuscated to try and dance around signature-based scans.
Read more…
Source: ZDNet