Bypass Record

AMSI Bypass × SentinelOne EDR

A publicly-reported instance of AMSI Bypass bypassing SentinelOne EDR, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

SentinelOne EDR

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2024-02-12

Config / version noted

Not stated

Provenance

www.linkedin.com
disclosed 2024-02-12 · original source · via raw

Reported as

bypass of SentinelOne EDR by using a custom .NET loader to execute Rubeus

Mechanism

A .NET loader uses hardware breakpoints to hook AMSI and ETW, preventing SentinelOne from inspecting malicious .NET assemblies. AES encryption obfuscates the payload. The loader then executes Rubeus in memory to perform S4U constrained delegation, impersonating a Domain Admin without triggering EDR detections.

Detection & mitigation

Monitor for suspicious use of hardware breakpoints (e.g., via ETW or kernel callbacks) and unexpected AMSI/ETW unhooking. Deploy memory scanning and behavioral analysis to detect in-memory .NET assembly loads that bypass AMSI. Ensure EDR tamper protection is enabled and monitor for agent health signals.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Microsoft Palo Alto Networks Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.