AMSI Memory Patching via .NET Reflection

Rule Info

Name
AMSI Memory Patching via .NET Reflection
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects runtime method handle patching via the Marshal class targeting AMSI's ScanContent method. Adversaries overwrite method pointers in memory to redirect execution away from monitored code paths, effectively bypassing AMSI scanning by replacing the ScanContent function under "System.Management.Automation.AmsiUtils" with an empty or attacker-controlled method.
Reference
https://learn.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.marshal?view=net-10.0
Date
2026-06-01 00:00:00
Modified
None
Id
c49bd8b5-3a19-4167-8716-6c4f8736f25a
Tags
attack.defense-impairment attack.t1685 attack.execution attack.t1059.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022