Bypass Record

AMSI Bypass × Microsoft Antimalware Scan Interface (AMSI)

A publicly-reported instance of AMSI Bypass bypassing Microsoft Antimalware Scan Interface (AMSI), recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Antimalware Scan Interface (AMSI)

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2024-05-04

Config / version noted

Not stated

Provenance

github.com
disclosed 2024-05-04 · original source · via exa
github.com
disclosed 2024-05-24 · original source · via exa

Reported as

This defeats AMSI-based script content inspection.

Mechanism

The tool scans the AMSI DLL's memory for a specific opcode pattern (e.g., test, je, cmp instructions) to find the address of a conditional jump. It then patches the jump to always take the bypass path, effectively disabling AMSI for the lifetime of the process. This defeats AMSI-based script content inspection.

Detection & mitigation

Monitor for suspicious memory patching of AMSI.dll, such as WriteProcessMemory or NtProtectVirtualMemory calls targeting the AMSI scanning functions (e.g., AmsiScanBuffer). Deploy AMSI provider integrity checks and use endpoint detection rules that alert on modifications to AMSI-related code sections.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.