Bypass Record

AMSI Bypass × Microsoft Windows AMSI

A publicly-reported instance of AMSI Bypass bypassing Microsoft Windows AMSI, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows AMSI

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2023-10-24

Config / version noted

Not stated

Provenance

github.com
disclosed 2023-10-24 · original source · via raw

Reported as

AMSI-Reaper ... bypasses the Windows Antimalware Scan Interface (AMSI) by injecting code into AMSI component memory

Mechanism

AMSI-Reaper injects code into the memory of AMSI components (e.g., AmsiScanBuffer) to patch or disable them, preventing AMSI from scanning and blocking malicious scripts. The PowerShell version downloads and executes directly in memory; the C# version compiles with CSC and performs the same memory manipulation.

Detection & mitigation

Monitor for suspicious memory modifications to AMSI-related DLLs (e.g., amsi.dll) or unexpected use of CSC.exe to compile and execute C# code. Deploy endpoint detection rules for known AMSI patching patterns and restrict execution policies to signed scripts only.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.