Bypass Record

AMSI Bypass × Microsoft Windows Defender

A publicly-reported instance of AMSI Bypass bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2025-06-03

Config / version noted

Not stated

Provenance

medium.com
disclosed 2025-06-03 · original source · via brave
globetech.biz
disclosed 2025-06-16 · original source · via exa

Reported as

blocking the DLL load, AMSI is never initialized, so script content and in-memory payloads are not scanned

Mechanism

The technique uses Windows Exploit Protection or process mitigation policies (e.g., via SetProcessMitigationPolicy or registry configuration) to prevent amsi.dll from being loaded into a target process. By blocking the DLL load, AMSI is never initialized, so script content and in-memory payloads are not scanned, defeating AMSI-dependent detection without modifying AMSI code or memory.

Detection & mitigation

Monitor for processes with unusual mitigation policies that block DLL loading, such as ProcessSignaturePolicy or DisableExtensionPoints, via Event Tracing for Windows (ETW) or Sysmon Event ID 1 (Process Creation) with command-line analysis. Apply AppLocker or WDAC to restrict execution of untrusted scripts and binaries, and ensure AMSI is enabled and logging is collected for anomalies.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.