Bypass Record

AMSI Bypass × Microsoft Defender

A publicly-reported instance of AMSI Bypass bypassing Microsoft Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

Medium

Severity

High

Status

poc

Disclosed

2024-08-02

Config / version noted

Not stated

Provenance

github.com
disclosed 2024-08-02 · original source · via raw

Reported as

tested against several EDR products and successfully executed without detection

Mechanism

Uses hardware breakpoints to hook AMSI and ETW functions without modifying code (patchless), avoiding detection by file integrity monitoring and EDR. Loads RC4-encrypted .NET assemblies via CLR hosting in Rust.

Detection & mitigation

Monitor for suspicious use of hardware breakpoints (e.g., via ETW or kernel callbacks) and unexpected CLR hosting processes. Deploy behavioral detection rules for post-exploitation actions like credential dumping, and ensure EDR is configured to inspect .NET assembly loads.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.