Detectionhightest

AMSI Bypass Pattern Assembly GetType

Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Wed Nov 09e0d6c087-2d1c-47fd-8799-3904103c5a98windows

Log Source

WindowsPowerShell Script

ProductWindows← raw: windows

CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic

detection:
    selection:
        ScriptBlockText|contains|all:
            - '[Ref].Assembly.GetType'
            - 'SetValue($null,$true)'
            - 'NonPublic,Static'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0002 · Execution

Sub-techniques

T1562.001 · Disable or Modify Tools

Rule Metadata

Rule ID

e0d6c087-2d1c-47fd-8799-3904103c5a98

Status

test

Level

high

Type

Detection

Created

Wed Nov 09

Author

Florian Roth (Nextron Systems)

Path

rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml

Raw Tags

attack.defense-evasionattack.t1562.001attack.execution

View on GitHub