Bypass Record

AMSI Bypass × Microsoft Windows 11 AMSI

A publicly-reported instance of AMSI Bypass bypassing Microsoft Windows 11 AMSI, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows 11 AMSI

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2023-11-30

Config / version noted

Not stated

Provenance

gist.github.com
disclosed 2023-11-30 · original source · via exa

Reported as

bypassing the Antimalware Scan Interface (AMSI) on Windows 11 by hooking the AMSI context's virtual method table (VTable) on the heap

Mechanism

The method locates the AMSI context structure in memory, identifies its VTable pointer, and overwrites it with a ROP gadget address that redirects execution flow, effectively disabling AMSI scanning without modifying code sections or using traditional patching.

Detection & mitigation

Monitor for suspicious memory operations targeting the AMSI context heap, such as VTable pointer modifications via WriteProcessMemory or NtWriteVirtualMemory, using ETW or kernel callbacks. Mitigate by enabling Attack Surface Reduction rules, enforcing code integrity (e.g., HVCI), and restricting script execution via AppLocker or WDAC.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.