Bypass Record

AMSI Bypass × Microsoft Windows AMSI

A publicly-reported instance of AMSI Bypass bypassing Microsoft Windows AMSI, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows AMSI

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

Medium

Severity

High

Status

poc

Disclosed

2025-03-11

Config / version noted

Not stated

Provenance

github.com
disclosed 2025-03-11 · original source · via exa
practicalsecurityanalytics.com
disclosed 2025-03-03 · original source · via raw

Reported as

bypass endpoint security protections that rely on AMSI

Mechanism

The tool locates a running PowerShell process, identifies AMSI functions (AmsiScanBuffer, AmsiScanString) in its memory, and patches them to return E_INVALIDARG. This prevents AMSI from scanning script content, allowing execution of malicious PowerShell scripts that would otherwise be blocked.

Detection & mitigation

Monitor for suspicious memory modifications in PowerShell processes, such as WriteProcessMemory calls targeting AMSI functions (AmsiScanBuffer, AmsiScanString). Deploy endpoint detection rules that alert on unexpected return values from AMSI APIs or integrity checks on AMSI DLLs. Mitigate by enforcing least privilege, using application control, and enabling AMSI in constrained language mode.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.