Bypass Record

AMSI Bypass × Microsoft PowerShell 5.1

A publicly-reported instance of AMSI Bypass bypassing Microsoft PowerShell 5.1, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft PowerShell 5.1

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2024-05-03

Config / version noted

Not stated

Provenance

www.offsec.com
disclosed 2024-05-03 · original source · via exa
github.com
disclosed 2024-05-24 · original source · via exa
p.rst.im
disclosed 2024-05-03 · original source · via exa
github.com
disclosed 2024-05-05 · original source · via exa
print3m.github.io
disclosed 2024-05-03 · original source · via exa
github.com
disclosed 2024-10-20 · original source · via raw

Reported as

enabling AMSI bypass without VirtualProtect

Mechanism

A writable entry in System.Management.Automation.dll stores the address of AmsiScanBuffer. Attackers can overwrite this entry with a dummy function address, causing AMSI to call a harmless function instead of scanning, bypassing detection without changing memory protection or using VirtualProtect.

Detection & mitigation

Monitor for suspicious modifications to System.Management.Automation.dll in memory, such as writes to the AmsiScanBuffer pointer location, using endpoint detection tools that track memory tampering or API hooking anomalies. Mitigate by applying the latest security updates from Microsoft and enabling attack surface reduction rules that block AMSI tampering.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.