keyboardcrunch-sentinelone-queries/queries/windows/amsi_bypass_initfailed.yml

title: AMSI Bypass Through InitFailed
description: Detects AMSI bypass through InitFailed.
author: keyboardcrunch
date: 10/10/2020
modified: 
mitre:
   tactic: Defense Evasion
   technique: T1562
   subtechnique: 001
operating_system: windows
query: TgtProcCmdLine ContainsCIS "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)"
  OR SrcProcCmdScript ContainsCIS "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)"
false_positives: 
tags: 
references: