Bypass Record

AMSI Bypass × Sophos Intercept X

A publicly-reported instance of AMSI Bypass bypassing Sophos Intercept X, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Sophos Intercept X

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

Medium

Severity

High

Status

poc

Disclosed

2024-08-02

Config / version noted

Not stated

Provenance

github.com
disclosed 2024-08-02 · original source · via raw

Reported as

tested against several EDR products and successfully executed without detection

Mechanism

Uses hardware breakpoints to hook AMSI and ETW functions without modifying code (patchless), avoiding detection by file integrity monitoring and EDR. Loads RC4-encrypted .NET assemblies via CLR hosting in Rust.

Detection & mitigation

Monitor for suspicious use of hardware breakpoints (e.g., via ETW or kernel callbacks) and unexpected CLR hosting processes. Deploy behavioral detection rules for post-exploitation actions like credential dumping, and ensure EDR is configured to inspect .NET assembly loads.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Microsoft Palo Alto Networks SentinelOne Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.