Bypass Record

AMSI Bypass × Microsoft Windows Defender

A publicly-reported instance of AMSI Bypass bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

in the wild

Disclosed

2025-07-28

Config / version noted

Not stated

Provenance

www.netskope.com
disclosed 2025-07-28 · original source · via brave

Reported as

XWorm V6 implements an AMSI bypass technique that patches the AmsiScanBuffer function in memory to prevent script content scanning, allowing malicious scripts to execute undetected.

Mechanism

XWorm V6 implements an AMSI bypass technique that patches the AmsiScanBuffer function in memory to prevent script content scanning, allowing malicious scripts to execute undetected. It also uses process hollowing and obfuscation to evade endpoint detection.

Detection & mitigation

Monitor for suspicious modifications to AMSI-related functions like AmsiScanBuffer in memory, such as via API hooking or patching, using EDR telemetry or memory integrity checks. Mitigate by enabling AMSI provider integrity validation and restricting script execution via AppLocker or WDAC.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.