Bypass Record

AMSI Bypass × Microsoft Windows AMSI

A publicly-reported instance of AMSI Bypass bypassing Microsoft Windows AMSI, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows AMSI

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2025-07-23

Config / version noted

Not stated

Provenance

github.com
disclosed 2025-07-23 · original source · via exa
gist.github.com
disclosed 2025-07-31 · original source · via exa

Reported as

Script 1 performs an in-memory patch of the AmsiScanBuffer function... to force AMSI to return a failure code, effectively disabling scanning.

Mechanism

Script 1 performs an in-memory patch of the AmsiScanBuffer function by loading amsi.dll, locating the function address, changing memory protection, and overwriting it with assembly instructions (mov eax, 0x80070057; ret) to force AMSI to return a failure code, effectively disabling scanning. Script 2 is a simple TCP reverse shell that connects back to an attacker-controlled host.

Detection & mitigation

Monitor for PowerShell script block logging (Event ID 4104) and module logging (Event ID 4103) for signs of AMSI tampering, such as calls to VirtualProtect on AmsiScanBuffer or loading amsi.dll with subsequent memory patching. Mitigate by enabling constrained language mode, script block logging, and using application control to block unsigned scripts.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.