Update patch-antimalware-scan-interface-function.yml - include additional functions that can be patched (#1064)

jtothej · web-flow · commit 760c214299b0 · 2025-08-13T08:39:59.000-06:00
diff --git a/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml b/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml
@@ -13,14 +13,20 @@ rule:
       - Defense Evasion::Disable or Evade Security Tools [F0004]
     references:
       - https://fluidattacks.com/blog/amsi-bypass/
+      - https://medium.com/@s12deff/amsi-patching-using-amsiopensession-9d31df8237a8
+      - https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
     examples:
       - edb92795c06a2bde47e652639327253a1148ee675ba2f0d1d9ac8690ef1820b1:0x14001126C
+      - 7cd03db8ed91a66920cc03026baa2df2a8370293b072218b9fbf6d9a21cad66b:0x180004EB0
   features:
     - and:
       - match: change memory protection
       - or:
         - string: "AmsiScanBuffer"
         - string: "AmsiScanString"
+        - string: "AmsiOpenSession"
+        - string: "AmsiInitialize"
       - optional:
         - match: write process memory
         - string: "amsi.dll"
+        - string: "amsi"
