Bypass Record

AMSI Bypass × Microsoft Windows AMSI

A publicly-reported instance of AMSI Bypass bypassing Microsoft Windows AMSI, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows AMSI

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

Medium

Severity

High

Status

poc

Disclosed

2025-11-14

Config / version noted

Not stated

Provenance

medium.com
disclosed 2025-11-19 · original source · via brave
shigshag.com
disclosed 2025-11-15 · original source · via exa
github.com
disclosed 2025-11-14 · original source · via exa
undercodetesting.com
disclosed 2025-12-04 · original source · via exa

Reported as

bypassing detection by endpoint security solutions that rely on AMSI

Mechanism

The proof-of-concept uses Rust to load amsi.dll, find the address of AmsiScanBuffer, change memory protection to writable, and patch the function's beginning with a return instruction that sets the result to AMSI_RESULT_CLEAN. This defeats AMSI's ability to scan script content before execution, bypassing detection by endpoint security solutions that rely on AMSI.

Detection & mitigation

Monitor for suspicious memory modifications to amsi.dll, specifically writes to the AmsiScanBuffer function, using endpoint detection and response (EDR) tools with memory integrity monitoring. Mitigate by enabling Windows Defender Application Control (WDAC) or AppLocker to restrict untrusted code execution and keeping AMSI-integrated security products updated.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.