Bypass Record

AMSI Bypass × Microsoft AMSI

A publicly-reported instance of AMSI Bypass bypassing Microsoft AMSI, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft AMSI

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2024-01-21

Config / version noted

Not stated

Provenance

medium.com
disclosed 2024-01-21 · original source · via exa

Reported as

bypassing Microsoft's Anti-Malware Scan Interface (AMSI) by patching the AmsiScanBuffer function in memory to always return AMSI_RESULT_CLEAN

Mechanism

The attacker loads amsi.dll into PowerShell's memory space and overwrites the beginning of the AmsiScanBuffer function with custom opcodes that set the EAX register to 0x80070057 (E_INVALIDARG), which is interpreted as clean. The patch uses obfuscated assembly instructions (e.g., MOV, XOR, ADD) to avoid signature detection, allowing any subsequent PowerShell commands to run without AMSI scanning.

Detection & mitigation

Monitor for suspicious modifications to amsi.dll in memory, such as unexpected writes to the AmsiScanBuffer function, using endpoint detection and response (EDR) tools with memory integrity monitoring. Mitigate by enabling Windows Defender Application Control (WDAC) and PowerShell Constrained Language Mode to restrict script execution even if AMSI is bypassed.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.