Bypass Record

AMSI Bypass × Microsoft Windows Defender

A publicly-reported instance of AMSI Bypass bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2026-03-05

Config / version noted

Not stated

Provenance

github.com
disclosed 2026-03-05 · original source · via exa
github.com
disclosed 2026-03-16 · original source · via exa

Reported as

implements six different AMSI bypass techniques with randomized, multi-layer obfuscation to evade signature-based detection

Mechanism

The tool randomly selects from six AMSI bypass methods: ForceError (corrupts amsiContext/amsiSession), MattGRefl (sets amsiInitFailed reflection flag), MattGReflLog (delegate-based reflection to bypass WMF5 logging), MattGRef02 (overwrites amsiContext via Marshal.WriteInt32), RastaBuf (memory patches AmsiScanBuffer), and BlankAmsiProviders (nullifies amsiContext/amsiSession pointers). Each payload is obfuscated through variable renaming, string encoding, integer obfuscation, junk code insertion, case randomization, and expression wrapping to evade detection.

Detection & mitigation

Monitor for PowerShell script block logging (Event ID 4104) and AMSI/ETW provider loads; detect obfuscated or suspicious script content (e.g., random variable names, encoded strings, reflection on AMSI internals). Mitigate by enforcing Constrained Language Mode, enabling deep script block logging, and using behavior-based EDR rules that flag AMSI tampering attempts.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.