BSides SP 2025 - AMSI: O cão de guarda que late mas não morde?

*Mumbling* I was talking about gamification. This is Mario. Mario. I'm going to start with you, Grinch. I'm going to be careful. - Thank you. The answer is yes. - - We went with Elia more than anyone. Keep changing. Good afternoon, guys. If you want, come forward, because there is not much people yet. Good afternoon, thank you to the people of B-Sites and congratulations for the 20 years. Thank you for your assistance. My name is Mario Lobo. I am an engineer. I have been in the cyber security area for about 20 years. I worked mostly in cyber security in the state with governments from different countries. in the military and financial area, and now I'm a threat

researcher at Lumo Technology in the United States. So, we're going to talk about AMSI. Has anyone heard of AMSI? Have you researched it? Do you have an idea? Okay, we're here to learn, right? I will divide the lecture into three parts. The first, what is AMSI and why is it important? The second, the techniques that are used to evade AMSI. And then we will have a POC looking at how evasion is. And the third, which is basically conclusions. So we can start. What would happen if I told you that 79% of attacks in 2024 didn't have malware and also didn't have files in HD? Hard to accept, right? Do you have any idea of that? Most of the attacks don't have malware. Look, I don't say

that, I say that Cross Strike, the best intelligence company in the world, one of the best. and also no files, because the execution is completely in memory. To understand what AMSI is, it is necessary to understand the functioning of an EDR, Endpoint Detection and Response. We speak, people speak, anti-malware, anti-virus. It's the same thing. The anti-malware is a little motor that has the ability to collect of the operating system collectors sensors, information, it goes there, makes processing, analysis and tells us: "It's right, the file has no problem or it's malicious." Here are some of the main collectors that have for the CDRs. The static is that we know all life, which was: go there, get information from the file system, get

information from the images of the processes, go there, a database, compare and if it is malicious, say: "Man, it's malicious, otherwise you can execute." There is ETW, Event Tracing, which basically records all events that are in the device. All these changes, permissions, files, whatever you do in the operating system, it stays there. This information goes to the EDR, analyzes and that's it. There is ELAM, Early Launch Anti-malware, which was introduced here a few years ago to try to register if there are modifications in the boot of the operating system, before the operating system was completely up. And a very important one, which is this one in the center, Kernel Driver Mode, which basically is trying to get the address in memory,

where the application is staying and what are the libraries that the application is calling. Do you remember an incident that occurred because of the manipulation of this controller, of this collector? Remember? It was a short time, and there is a present for those who remember, you know? So here is an instruction, we take the data from there later. There is a very important teaching, and it is that these collectors, the EDR can use the collectors of the operating system, but it can also do, but a great responsibility, a great power, It brings a great responsibility. And that's what happened with CrossTrack. They manipulated, they moved the driver and the system became garbage. In the whole world. So, that's it. Most of

the collectors that come to the operating system, because there are many, have to make a parallel operating system, basically. And the other thing that is difficult, right? What happened with CrossTrack. AMSI is here. It is a collector for providing information for the execution of scripts. Having this context of how an EDR works, we will look at how ANSI, Anti-malware Scan Interface, is made to provide languages ​​based on scripting the possibility of being integrated with anti-malware or anti-virus. Why? We will see here. These are the languages that are integrated completely, which are PowerShell, Windows Script Host, WScript, CSScript, JavaScript, Visual Basic Script, and Office macros. You see there, all these are scripts and are rolled in the

system memory. There are no files there, no forensic artifact, nothing. Only in memory. Here are the main characteristics. Why would the attacker want to use scripts and not a more formal, more structured language? Yes, because it's very easy. The development of a PowerShell script is not compared to a script in C, for example. It's much easier. You don't have a headache to make a script. you get the evasion of lists of programs that have, I would say, as malicious. So you know that the, I don't know, the meterpreter is malicious because there is a meterpreter always, but if you make a script, it is not there, it is not in the hash signatures either, because a

new script, a small modification has another hash. And the main reason why the attacker uses the script is because the execution is entirely in memory. You don't have anything in the team. We will look at the Pokk, how this is very useful for the attacker. Another thing is that it is portable too. And it is in all systems. The attacker, I don't know if you have the notion of what is Living of the Lamb. Living off the land is that the attacker has to live what is in the system. And in the system there is always PowerShell, for example. Are there systems without PowerShell? There are not. So the tool that the attacker wants to use is always there.

Always. And besides that, PowerShell was designed to manage the system. So the attacker doesn't have to think about doing a function to manipulate the kernel, to manipulate the memory, nothing. It's already done. So who designed PowerShell? Designed for the attacker, basically, because it's very easy. And here there is a connection with this first question. And it is the second technique, tactic, procedure of the Dimitri matrix. Do you know the Dimitri matrix? In the world, in 2024, it was commonscripting PowerShell. If you look at this first slide, it makes a lot of sense now that it is 79%, because the second most used technique by attackers is the use of PowerShell. We already have context of what ANSI is and how it works. Now

you will see, you will look more in depth. When you go there and run a script in PowerShell, Visual Basic or any other application that has a script, who compiles this code goes there, calls the AMSI, the library, this library takes this set of code and leaves it there in a place in the memory. and enable any provider, which basically can be anyone, even us, can be registered. But there would be, for example, Cross Strike, Kaspersky, Bitdefender, Windows Defender, anyone is a provider. He has to go there, read that memory and determine if it is malicious or not. So if you look closely, EDR has no direct access to the code. It takes information from the

buffer and then decides if it is malicious or not. And we start to think how the evasion is easy. In POC, what I did was simply make that buffer, that space in the memory, it does not go to the provider, it goes to another place that I rewrite there in the memory. And the answer will always be "ok". It has two possibilities: "ok" or "ok" I. The file is good, the code is good or it is malicious and that's it. That is the very general functioning of what ANSI is. Here, a little more in depth, a very important point is the AMSI buffer, which is the space in the memory where the whole code is. So, up to

this point, the code has not yet been executed, it just stayed there, saved, waiting, waiting for the provider to pick it up and do the analysis. And so, as we see, The script contains malicious content and has been blocked by your antivirus software. And in Event Tracer, in the Event Viewer, you see the detection category, which is an exploit, an exploit made in PowerShell, for PowerShell. The source is AMSI, and here is the channel that it took the information. So you see in the Windows Event Viewer. That said, we already know what it is, how it works and the alerts. Now you will see the bypass techniques. The easiest one, this is very good, a very good technique, but there are times that

it works, which is to do the downgrade, to download the PowerShell version. ANSI was introduced after Windows 10. You go to Windows 7 and there is no ANSI, so you can execute anything, any code will be good for it. The problem is that most of them don't have this version 2 of PowerShell. And the other thing is that detection is very easy. This detection is very easy to go from ETW to SIEM. The second part, here it starts to be more interesting, is the fusing, which is to encode the functions, the code to try to deceive this analysis of the EDR. Here it is important that the code goes there, goes to the analysis of the EDR. So here it is just to try to deceive.

What are the advantages? It is relatively easy, now with LLM chats, there is a possibility of doing the fuzzing very easily. In the technique that I will show you, I did it with LLM, very easy, simply the prompt was: "Take the code and go there and fuzze so that ANSI does not detect." And he did. The problem is that the behavior analysis of the EDR can detect easily. Another thing is that a lot of fuzzing can break the code, there are so many things that get broken. Another thing is that if the attacker can use artificial intelligence to generate defusion, he can also use it to detect patterns. And that's it, because the antivirus, the anti-malware will analyze it. That's the bad part about

defusion, it doesn't prevent the anti-malware from analyzing. But there is a very good thing, it can be used with other techniques, as I did. This one, I don't know if you can see, is part of the code that created the LLM for my technique. There, it simply passed in base 64 the variables of the libraries that have to be called and ready. Here, this is another very interesting technique and it starts to be more difficult, the part of the AMSI memory. There is a high effectiveness, but we have to rewrite, first read where the AMSI is initialized, then you have to rewrite these bits in the system memory and you can avoid detection and prevent it from reaching the antivirus. The problem

is that this first execution has to avoid detection is static of the EDR, then you have to use obfuscation. After the first byte is rewritten, there is no way, nothing goes to the antivirus and we have execution without problem. And the most difficult is this one, which is patchless, which basically is to use reflection, does anyone know what is reflection for byte writing?

you do not do writing directly, but use another program that calls these same libraries to ask for the address of memory, as, excuse me, I used you as an example, what is your name? Enzo. You all heard Enzo, so that's it. If I ask the EDR directly to the app, he will know what happened. But if I go here and ask someone who only knows Enzo, He will say: "Man, if you call this, none of you will know." It's more or less like that, asking another the address of the application I need. And also, even more difficult, is to get another application to go there and rewrite in the memory of another, but not directly, but using a bridge. It is

very difficult, I applied only part of it, just to ask the addresses of memory, but the part was done directly, but it is very useful. If you get a good library that has the ability to reflect, you did business there. So, we will look at POC and the idea, I will explain a little how it was. Here, just to make sure everything is fine, I'm enabled, it's updated, I don't have alerts there, I have real-time protection without problem, I have cloud without problem enabled, I'm sending samples now because of the the technique is burned, the tamper is also all right, no exclusions, there are no exclusions, everything is fine. The idea is to first execute the

malware to see how it is detected and after the patch we will see how it was not detected. So here we are going to use a very well known malware, which is the DNSCAD, a very old DNS tunnel, it is burned everywhere and will try to execute directly from PowerShell, if you see. This command connects the Internet Explorer to the GitHub URL, brings the code and leaves it in the memory for subsequent execution. But here, as everything is working normally, it won't even work. There will appear an alert. Go there, leave it there, and that's it. It was alerted by the antivirus. Why? Because the antivirus took the memory buffer code that we saw and was alerted by

the algorithm. We see here in the event viewer how it appears, the same thing we saw there, Microsoft Defender was the one who alerted, an exploit, there is the link for the documentation and the source is the AMSI, there is the AMSI source and who fired was PowerShell, who made the trigger. Then we will look at how after the patch nothing happens, because the code will never be analyzed. One thing that has PowerShell is that each window is a different process. So I make the patch for the window process. If you open another window, It will not work, because it is another process, it has parallel processes of ANSI. So here I applied the patch, which is a hidden

script to pass this first layer, then there is already the code there in the memory, I enable the verbosity so we can see what it does. And after that I will patch the ETW. Why? To not generate locks. Here we will see what the patch does. It is running as a user, it does not need to be an administrator. There it goes, using, look at this, using reflection, using the Windows Forms asks for the protection addresses and the AMSI, reads, rewrites, starts to do... It also reads which are the providers that have registered, takes information from each provider and redirects to the other side. The provider is this one there, 920 and sends to another address, so no one will read it. And then, here

in this part that you see here, original bytes, this is the function that defines if the code is malicious or not. Then I rewrite it to always be ok. So he will wait for an answer, the answer will always be ok. here we see, it writes the original bytes, they are 72, 137 in mask and are rewritten for this, which is ok, simply. So, after that, it makes a confirmation to see that it has persistence in the technique and finally, I patch the ETW to avoid that these changes are in the register and then using another collector, the EDR can present the alert. So here is this part, rewrite and ready, finished, nothing was alerted and the patch is done. Now,

let's do the same thing from the beginning, which is to try to execute the same malware. We go there, execute, then it should alert more, but it did nothing. It's there in the memory and no one will read it, no one will analyze it. Here it doesn't present any log, because I also shared it, so there's no way to know And then it will make the connection, I prepared a "attacking server" of DNSCAD, it will connect there through DNS and in the subdomains it will send all the information. So I'm going to create a reverse shell using this domain there, dnstrf.datasite. There, as the code is in memory, simply call the function that the guy who did this presented,

startdnscat, domain and domain, the dnstransfer in this case. We can go here a little faster, ready. There, insert the the domain, there will give one more error, but this error is because there is no registered system, whatever, I can use any one, I will use the Google 8.8.8.8, then I write 8.8.8 and here on the right side we will see how it starts execution, there, well, there is the session started there. After that, we have total control of the machine. The limit is imagination. Why? Because we will look that there is a complete shell, For example, there is this location in the folder, and I have the same information. I will create a fake password and it will see there. So,

it has unrestricted access to the system. And what can you do there? You can, for example, make a PS1, a PowerShell script to make Dump in the SAS memory and keep all the system users, even the administrator. You can move it laterally without problem. So it was done, there was no alert. And then comes the problem. Why? Hans Unger. The problem of the decade. We don't have sleep because of this, but we have work. The problem here is this: all these are the gangs of Hansel and Gretel who made attacks in 2024, and all of them use PowerShop. in almost every attack chain. Who doesn't use PowerShell uses Visual Basic Script and if doesn't use JavaScript. The problem is not only the gangs

of Hansel and Gretel, the problem is also the InfoStealer, that we saw there, that the second most used technique was PowerShell, but the third is Valid Credentials. So if you don't go for PowerShell, an InfoStealer arrives, any of these, and takes your credentials, which we saw there in the previous lecture. What would be the conclusion of how can do to mitigate the problem. Have a security strategy, cybersecurity, whatever it is. We are passing a lot of defense in depth, of the layers of defense, for Zero Trust. Zero Trust is ideal, because if the attacker is not using malware and is not using files, the only way to detect it is the network, and the network has anomalies. But if there is no Zero Trust,

you can't detect anomalies, because normality is chaos. and in the case you can not find anomalies. The idea is to have a cyber security structure that allows you to catch the anomalies and can take and alert them. For example, there is no malware, but someone has to connect to the team to make the attack. This detection of infrastructure is only valid if you have a a pool of IP addresses that have acceptance. If you accept everything, Netflix, Youporn, anything, you won't be able to detect anything different. This idea, the invitation is first to have a sense of what we saw here. We focused a lot of time on solving, structuring and making things stronger complex. And I forgot the simple things, like PowerShell,

like Visual Basic, like JavaScript. And the simple things are working. So, this invitation. Thank you very much, I don't know if there are any questions. Sorry, I'm not Portuguese, but I think I can understand. If you have any questions about the technique, anything, nothing, I didn't understand anything, man. It's also valid, right? A question, something here, right? We are staying attentive in the other rooms. A beer, anything, I'll talk to you about the technique. Thank you.