Bypass Record

AMSI Bypass × Microsoft Defender for Endpoint

A publicly-reported instance of AMSI Bypass bypassing Microsoft Defender for Endpoint, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender for Endpoint

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

Medium

Severity

High

Status

poc

Disclosed

2025-05-16

Config / version noted

Not stated

Provenance

shells.systems
disclosed 2025-05-16 · original source · via raw

Reported as

ETW is implied bypassed via similar memory manipulation

Mechanism

CDB is launched with a script file (-cf) that sets a breakpoint on AmsiScanBuffer, overwrites the function's code to return 0x80070057 (E_INVALIDARG, interpreted as clean), removes the breakpoint, and continues execution. For CLM bypass, a breakpoint on System.Management.Automation.dll load allows patching GetSystemLockdownPolicy to return 0 (SystemEnforcementMode.None). ETW is implied bypassed via similar memory manipulation. The debugger's legitimate, signed nature evades detection.

Detection & mitigation

Monitor for CDB.exe or NTSD.exe spawning PowerShell or other scripting hosts with -cf flag and script files. Detect unusual breakpoint setting and memory patching via ETW or kernel callbacks. Block or alert on CDB execution from non-developer contexts, and restrict debugging tools via AppLocker or WDAC.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.