AMSI Memory Patching via .NET Reflection - PowerShell

Rule Info

Name
AMSI Memory Patching via .NET Reflection - PowerShell
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects suspicious PowerShell script blocks that attempt to patch AMSI's ScanContent method in memory using the Marshal class. This technique is used by adversaries to bypass AMSI scanning by replacing the ScanContent function under "System.Management.Automation.AmsiUtils" with an empty or attacker-controlled method.
Reference
https://learn.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.marshal?view=net-10.0
Date
2026-06-01 00:00:00
Modified
None
Id
9e7f2a3b-5c1d-4e8f-b6a2-1d3e5f7a9b0c
Tags
attack.defense-impairment attack.t1685 attack.execution attack.t1059.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022