Bypass Record

AMSI Bypass × Microsoft Management Console (mmc.exe), apds.dll

A publicly-reported instance of AMSI Bypass bypassing Microsoft Management Console (mmc.exe), apds.dll, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Management Console (mmc.exe), apds.dll

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

in the wild

Disclosed

2024-06-22

Config / version noted

Not stated

Provenance

www.elastic.co
disclosed 2024-06-22 · original source · via raw

Reported as

The technique exploits an old XSS vulnerability in apds.dll and combines it with DotNetToJScript to achieve code execution, evading static detection.

Mechanism

Crafted MSC file references a vulnerable APDS resource in its StringTable, triggering an XSS flaw in apds.dll to execute arbitrary JavaScript in mmc.exe context. This JavaScript uses DotNetToJScript to run an embedded .NET loader (PASTALOADER) which retrieves payload from environment variables and injects it into dllhost.exe using DirtyCLR, function unhooking, and indirect syscalls.

Detection & mitigation

Monitor for mmc.exe spawning unexpected child processes (e.g., dllhost.exe) with MSC file arguments from non-standard paths. Detect .NET COM object creation with RWX memory allocation in non-standard script interpreters (e.g., mmc.exe) via call stack analysis showing clr.dll called from vbscript.dll or jscript.dll. Block or alert on MSC files with embedded JavaScript or references to apds.dll in StringTable.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.