Bypass Record

AMSI Bypass × Microsoft Antimalware Scan Interface (AMSI)

A publicly-reported instance of AMSI Bypass bypassing Microsoft Antimalware Scan Interface (AMSI), recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Antimalware Scan Interface (AMSI)

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2025-05-12

Config / version noted

Not stated

Provenance

github.com
disclosed 2025-05-29 · original source · via exa
github.com
disclosed 2025-05-12 · original source · via exa

Reported as

TrollAMSI2 is a proof-of-concept tool that bypasses PowerShell AMSI by byte-patching the AMSI initialization method

Mechanism

Patches the JIT-compiled code of the AMSI init method to break it, then manually calls UnInit. When AMSI attempts to re-initialize, it fails, effectively disabling AMSI scanning for PowerShell. The DLL method uses HarmonyLib for patching; the PowerShell method uses VirtualProtect, which may be flagged by some AV/EDR.

Detection & mitigation

Monitor for PowerShell loading unexpected .NET assemblies (e.g., HarmonyLib) or invoking VirtualProtect on AMSI-related memory regions via Event ID 4104 (ScriptBlock logging) and 800 (Pipeline execution details). Mitigation: enforce Constrained Language Mode and enable deep script block logging to capture obfuscated or dynamically compiled code.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.