Bypass Record

AMSI Bypass × Microsoft Windows AMSI

A publicly-reported instance of AMSI Bypass bypassing Microsoft Windows AMSI, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows AMSI

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2025-04-24

Config / version noted

Not stated

Provenance

github.com
disclosed 2025-05-02 · original source · via exa
github.com
disclosed 2025-04-24 · original source · via exa
meterpreter.org
disclosed 2025-04-29 · original source · via raw

Reported as

bypasses the Windows Antimalware Scan Interface (AMSI) by using hardware breakpoints to modify AmsiScanBuffer behavior at runtime

Mechanism

Sets a hardware breakpoint on the AmsiScanBuffer function using CPU debug registers. When the breakpoint triggers during execution, the technique modifies the function's behavior in memory to bypass scanning, without altering the AMSI DLL on disk.

Detection & mitigation

Monitor for suspicious use of debug registers (e.g., via ETW events for thread context setting) or anomalous breakpoint exceptions targeting AMSI-related functions. Deploy kernel-level callbacks or hypervisor-based integrity checks to detect unauthorized debug register manipulation, and ensure AMSI is integrated with behavior-based detection to catch post-bypass malicious activity.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.