⚔️***~ Creator: Malcolm***
****🌐Repo:https://github.com/MalcolmTKS/TH-Proj ✅Portfolio: malcolmcybersec-io.pages.dev
Attack vector: An attempt to buffer a .dll security scan function and remain silent in a company's network.
Impact: Once an adversary is succesful in bypassing an EDR AMSI(Antimalware Scan Interface), they can establish perisitence via Cobalt Strike in a target network to exfil data.
Overview: Created a custom detection rule based on security functions in the WinAPI and suspicious API hooking events to detect an adversary TTP against enterprise security tooling.
<aside> 💡
</aside>
https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal ← Win32 AMSI
https://practicalsecurityanalytics.com/new-amsi-bypss-technique-modifying-clr-dll-in-memory/
https://www.cyberark.com/resources/threat-research-blog/amsi-bypass-patching-technique
https://www.irmsecurity.com/resources/what-is-amsi-and-why-should-you-care/
Script or PS Process → AMSI.DLL → CMD → Scan x Signature check