AMSI Overview

AMSI (Anti-Malware Scan Interface) is a PowerShell security feature that will allow any applications or services to integrate directly into anti-malware products. Defender instruments AMSI to scan payloads and scripts before execution inside the .NET runtime. From Microsoft: "The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any anti-malware product that's present on a machine. AMSI provides enhanced malware protection for your end-users and their data, applications, and workloads."

For more information about AMSI, check out the Windows docs.

AMSI will determine its actions from a response code as a result of monitoring and scanning. Below is a list of possible response codes,

AMSI_RESULT_CLEAN = 0

• AMSI_RESULT_NOT_DETECTED = 1

• AMSI_RESULT_BLOCKED_BY_ADMIN_START = 16384

• AMSI_RESULT_BLOCKED_BY_ADMIN_END = 20479

• AMSI_RESULT_DETECTED = 32768

These response codes will only be reported on the backend of AMSI or through third-party implementation. If AMSI detects a malicious result, it will halt execution and send the below error message.

AMSI is fully integrated into the following Windows components,

• User Account Control, or UAC

• PowerShell

• Windows Script Host (wscript and cscript)

• JavaScript and VBScript

• Office VBA macros

As attackers, when targeting the above components, we will need to be mindful of AMSI and its implementations when executing code or abusing components.