AMSI Bypass Redux

Three months ago we published a blog, “AMSI Bypass the Patching Technique,” describing how to bypass Microsoft AMSI (Antimalware Scan Interface) protection. Microsoft has since changed the way AMSI handles PowerShell sessions, so our original bypass technique…

The Cloud Shadow Admin Threat: 10 Permissions to Protect

Organizations worldwide are moving to the cloud – and that migration is creating the threat of shadow admins. On-premises shadow admin accounts have sensitive privileges and are typically overlooked because they are not members of…

Anatomy of the Triton Malware Attack

Schneider Electric SE recently fell victim to a breach of its safety system, which crippled operations at a critical infrastructure facility in the Middle East. It’s the first reported attack on a safety instrumented system…

AMSI Bypass: Patching Technique

Abstract In this blog post, we introduce a technique that can help attackers run malicious code over Microsoft Windows 10 (Version 1607) using PowerShell (version 5). CyberArk alerted Microsoft to the weakness, and while Microsoft…