Bypass Record

AMSI Bypass × Microsoft Windows Defender (AMSI)

A publicly-reported instance of AMSI Bypass bypassing Microsoft Windows Defender (AMSI), recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender (AMSI)

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

Medium

Severity

High

Status

poc

Disclosed

2024-03-07

Config / version noted

Not stated

Provenance

github.com
disclosed 2024-03-07 · original source · via exa

Reported as

BypassX, a C# tool that bypasses Windows security features AMSI, AppLocker, and Constrained Language Mode (CLM) simultaneously.

Mechanism

BypassX is a C# executable that, when run via InstallUtil, evades AMSI (AntiMalware Scan Interface), AppLocker application control, and PowerShell Constrained Language Mode. The exact technical method is not detailed, but it likely involves loading the tool in a context that circumvents these protections, such as using a trusted signed binary (InstallUtil) to execute arbitrary code.

Detection & mitigation

Monitor for unexpected usage of InstallUtil.exe, especially when it loads non-standard .NET assemblies or executes from unusual paths. Enforce AppLocker rules to restrict InstallUtil execution to authorized directories and consider enabling script block logging and AMSI provider registration to detect tampering attempts.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.