This query detects attempts to disable AMSI (Antimalware Scripting Interface) in the command line. It is possible to bypass AMSI by disabling it before loading the main payload.
Example:
[Ref].Assembly.GetType(‘System.Management.Automation.Am’+’siUtils’).GetField(‘amsiInitFailed’,’NonPublic,Static’).SetValue($null,$true)
Related
NA
Reference:
{{ mitre("T1562.001")}}
Data Source(s): Command
let c1 = dynamic(['Assembly.GetType','SetValue']);
find where InitiatingProcessCommandLine has_all (c1) or CommandLine has_all (c1)
- Inspect if the activity if it is expected and approved performed by an admin or a service
Version 1.0 (date: 10/07/2023)