Does running a PowerShell script using an embedded System.Managment.Automation DLL prevent it from being scanned by AMSI?

Asked Jul 26 '16 at 09:40

Active Jul 26 '16 at 16:41

Viewed 223 times

A new feature called Antimalware Scan Interface, that allow AVs to 'see' Powershell commands executed, was introduced in Powershell v5.

According to adsecurity, this feature seems to rely on the system-wide System.Management.Automation.dll assembly:

When code is delivered to the PowerShell “engine” (System.Management.Automation.dll), it is sent to the AMSI for anti-malware checks.

Does that mean AMSI would not work if a PowerShell script is executed from an embedded System.Management.Automation.dll assembly into an executable?

edited Jul 26 '16 at 16:41

asked Jul 26 '16 at 09:40

cgcmake

2

Yes, AMSI is detected by specific PS engine dll version (starting with PS5.0) engine, so if you deploy V4.0, then AMSI won't be used. – Crypt32 Jul 26 '16 at 18:13

Does running a PowerShell script using an embedded System.Managment.Automation DLL prevent it from being scanned by AMSI?

0 Answers0