What starting position does this attack require?

The first step is Medium-integrity shell (T1078) — a initial access primitive. Assumed environment: medium-integrity foothold.

What is the final impact of this kill-chain?

The final step lands on Load .NET stager via Assembly.Load (INJ-MODULE-STOMP), which falls under Defense Evasion. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

AMSI patch → in-memory .NET / PowerShell stager

Patch AmsiScanBuffer in amsi.dll → return clean for any content. Subsequent PowerShell / Office VBA / .NET runtime calls emit attacker code without scanning.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

Medium-integrity shell

T1078 · Valid Accounts

Command and Control

C2 beacon established

T1071 · Application Layer Protocol

Persistence

Persistence via WMI subscription

LOL-SCRCONS · scrcons.exe WMI Event Subscription

Defense Evasion

Patch amsi.dll!AmsiScanBuffer

AMSI-PATCH · AMSI In-Memory Patch

Defense Evasion

Patch ntdll!EtwEventWrite to blind ETW

ETW-PATCH · ETW Event-Tracing Patch

Defense Evasion

Load .NET stager via Assembly.Load

INJ-MODULE-STOMP · Module Stomping

§ Context

Assumed environment: medium-integrity foothold. Attacker has the ability to start a PowerShell session or load .NET assembly in their own process. AV relies on AMSI for in-memory script scanning.

§ Steps

01
Medium-integrity shellInitial Access
T1078— Valid Accounts
02
C2 beacon establishedCommand and Control
T1071— Application Layer Protocol
03
Persistence via WMI subscriptionPersistence
LOL-SCRCONS— scrcons.exe WMI Event Subscription
04
Patch amsi.dll!AmsiScanBufferDefense Evasion
AMSI-PATCH— AMSI In-Memory Patch
05
Patch ntdll!EtwEventWrite to blind ETWDefense Evasion
ETW-PATCH— ETW Event-Tracing Patch
06
Load .NET stager via Assembly.LoadDefense Evasion
INJ-MODULE-STOMP— Module Stomping

§ References

T1078Valid Accounts
T1071Application Layer Protocol

§ Frequently asked

What is the "AMSI patch → in-memory .NET / PowerShell stager" attack path?: Patch AmsiScanBuffer in amsi.dll → return clean for any content. Subsequent PowerShell / Office VBA / .NET runtime calls emit attacker code without scanning. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Medium-integrity shell (T1078) — a initial access primitive. Assumed environment: medium-integrity foothold.
What is the final impact of this kill-chain?: The final step lands on Load .NET stager via Assembly.Load (INJ-MODULE-STOMP), which falls under Defense Evasion. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

AMSI patch → in-memory .NET / PowerShell stager

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Build-system implant → signed supply-chain backdoor (SolarWinds-class)

Process hollowing → run beacon in svchost shell

certutil + bitsadmin → AV-friendly stager chain

Autodiscover external leak → credential harvest