Bypass Record

AMSI Bypass × Microsoft Windows Defender

A publicly-reported instance of AMSI Bypass bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2024-11-21

Config / version noted

Not stated

Provenance

practicalsecurityanalytics.com
disclosed 2024-11-21 · original source · via exa

Reported as

bypasses AMSI by modifying the 'AmsiScanBuffer' string in the .rdata section of CLR.DLL in memory, preventing the runtime from passing reflectively loaded .NET modules to the installed AV

Mechanism

CLR.DLL uses GetProcAddress to resolve 'AmsiScanBuffer' from amsi.dll. The string literal 'AmsiScanBuffer' is stored in CLR.DLL's .rdata section. By overwriting this string in memory (e.g., with null bytes), the lookup fails, and the CLR reflective loader continues without scanning, as it is designed to 'fail open'.

Detection & mitigation

Monitor for suspicious modifications to CLR.DLL's .rdata section in memory, such as writes to the 'AmsiScanBuffer' string, using kernel callbacks or ETW events (e.g., Microsoft-Windows-Threat-Intelligence). Deploy AMSI provider integrity checks and enable attack surface reduction rules to block reflective .NET loading from untrusted sources.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.