AMSI Bypass × Palo Alto Networks Cortex XDR

A publicly-reported instance of AMSI Bypass bypassing Palo Alto Networks Cortex XDR, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Palo Alto Networks Cortex XDR

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

patched

Disclosed

2025-06-18

Config / version noted

Yes

Provenance

medium.com
disclosed 2025-06-18 · original source · via raw

Reported as

The attack went undetected by default Cortex XDR analytics

Mechanism

The attack uses PowerShell ExecutionPolicy Bypass to run scripts, sets environment variables and registry keys under HKCU to enable COM profiler injection of a malicious DLL into PowerShell, then uses .NET reflection to set the internal amsiInitFailed flag to true, disabling AMSI scanning entirely. All steps operate in user context without elevated privileges, evading default Cortex XDR behavioral and BIOC detections.

Detection & mitigation

Monitor for PowerShell execution with ExecutionPolicy Bypass, registry modifications under HKCU\Software\Classes\CLSID for suspicious InprocServer32 entries, and use of .NET reflection to access AmsiUtils. Enable ScriptBlock, Module, and Transcription logging; create custom XQL/BIOC rules to alert on COM profiler environment variables (COR_ENABLE_PROFILING, COR_PROFILER) and correlate with DLL loads.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Microsoft SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.