Adversaries may use the Amsi.DLL via a LOLBIN process to evade detection and execute malicious code. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential stealthy malware execution attempts.
Detection Rule
title: Amsi.DLL Loaded Via LOLBIN Process
id: 6ec86d9e-912e-4726-91a2-209359b999b9
status: test
description: Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack
references:
- Internal Research
- https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-01
modified: 2025-10-07
tags:
- attack.defense-evasion
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\amsi.dll'
Image|endswith:
# TODO: Add more interesting processes
- '\ExtExport.exe'
- '\odbcconf.exe'
# - '\regsvr32.exe' # legitimately calls amsi.dll
- '\rundll32.exe'
condition: selection
falsepositives:
- Unknown
level: medium
DeviceImageLoadEvents
| where FolderPath endswith "\\amsi.dll" and (InitiatingProcessFolderPath endswith "\\ExtExport.exe" or InitiatingProcessFolderPath endswith "\\odbcconf.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe")Scenario: Scheduled Task Using amsi.dll for Legitimate Monitoring
Description: A scheduled task is configured to use a legitimate monitoring tool that loads amsi.dll as part of its operation.
Filter/Exclusion: Exclude processes associated with known monitoring tools (e.g., Microsoft Monitoring Agent, Windows Defender, or Microsoft Intune).
Scenario: System Update or Patching via amsi.dll
Description: A system update or patching process (e.g., Windows Update, SCCM, or WSUS) loads amsi.dll as part of its execution.
Filter/Exclusion: Exclude processes related to system updates (e.g., wuauclt.exe, msiexec.exe, setup.exe).
Scenario: Admin Task Using PowerShell with amsi.dll
Description: An administrator runs a PowerShell script that uses a legitimate module or tool that loads amsi.dll for compliance or auditing purposes.
Filter/Exclusion: Exclude processes launched by administrators using PowerShell (e.g., powershell.exe with runas or via Task Scheduler).
Scenario: Legitimate Anti-Malware Tool Integration
Description: A third-party anti-malware tool (e.g., Microsoft Defender, Bitdefender, or Kaspersky) loads amsi.dll as part of its integration with Windows.
Filter/Exclusion: Exclude processes associated with known anti-malware tools (e.g., MsMpEng.exe, bdagent.exe, kavsvc.exe).
Scenario: Custom Script or Tool Using amsi.dll for Code Analysis
Description: A custom script or internal tool (e.g., a code analysis or static analysis tool) loads amsi.dll to inspect or sanitize