Bypass Record

AMSI Bypass × Microsoft AMSI

A publicly-reported instance of AMSI Bypass bypassing Microsoft AMSI, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft AMSI

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2023-06-01

Config / version noted

Not stated

Provenance

github.com
disclosed 2023-06-01 · original source · via exa

Reported as

LightsOut generates a DLL that patches AMSI and ETW in-memory using methods like direct patching, hardware breakpoints, or remote process patching.

Mechanism

LightsOut generates a DLL that patches AMSI and ETW in-memory using methods like direct patching, hardware breakpoints, or remote process patching. It obfuscates the DLL by randomizing WinAPI function names, XOR-encoding strings, and employing sandbox evasion checks to avoid static and dynamic analysis by AV/EDR.

Detection & mitigation

Monitor for suspicious in-memory patching of AMSI and ETW-related functions (e.g., AmsiScanBuffer, EtwEventWrite) via tools like Sysmon Event ID 10 (ProcessAccess) or Event ID 8 (CreateRemoteThread) targeting security-sensitive processes. Deploy AMSI and ETW integrity checks, enable tamper protection, and restrict debug privileges to prevent unauthorized patching.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.