Bypass Record

AMSI Bypass × Microsoft Windows AMSI

A publicly-reported instance of AMSI Bypass bypassing Microsoft Windows AMSI, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows AMSI

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2023-08-28

Config / version noted

Not stated

Provenance

github.com
disclosed 2023-08-28 · original source · via exa

Reported as

patches its AmsiOpenSession and AmsiScanBuffer functions to disable AMSI scanning

Mechanism

The tool starts PowerShell in a suspended state, then uses DebugActiveProcess to become its debugger. It intercepts the LOAD_DLL_DEBUG_EVENT when amsi.dll is loaded, parses its Export Address Table (EAT) via remote memory reads to locate AmsiOpenSession and AmsiScanBuffer, and patches them in memory to render AMSI ineffective.

Detection & mitigation

Monitor for suspicious debugger attachment to PowerShell or other AMSI-enabled processes (e.g., Event ID 4688 with debug flags, or Sysmon Event ID 1 with DebugActiveProcess). Mitigate by enabling Attack Surface Reduction rules, restricting debug privileges, and using AMSI provider integrity checks.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.