Bypass Record

AMSI Bypass × Microsoft Defender

A publicly-reported instance of AMSI Bypass bypassing Microsoft Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2025-02-28

Config / version noted

Not stated

Provenance

lumu.io
disclosed 2025-02-28 · original source · via raw

Reported as

evasion of Microsoft Defender by downloading malicious code into memory... patching AMSI and ETW to prevent scanning and logging... attack proceeds without Defender alerts

Mechanism

PowerShell downloads payload into memory from a trusted URL to avoid disk scanning. AMSI is patched to prevent script scanning, and ETW is patched to stop event logging. DNS tunneling establishes C2, allowing remote desktop access and task list viewing, all while Defender reports normal operation.

Detection & mitigation

Monitor for PowerShell downloading content directly into memory from remote sources, especially from trusted domains like GitHub. Deploy AMSI and ETW integrity checks; use network detection for DNS tunneling anomalies (e.g., high entropy subdomains, unusual query volumes).

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.