Bypass Record

AMSI Bypass × Microsoft AMSI

A publicly-reported instance of AMSI Bypass bypassing Microsoft AMSI, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft AMSI

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2025-06-24

Config / version noted

Not stated

Provenance

github.com
disclosed 2025-06-24 · original source · via exa

Reported as

hooks EtwpEventWriteFull to return immediately, preventing detection

Mechanism

Uses 13-byte jmp trampolines to redirect AmsiScanBuffer to a proxy that returns AMSI_RESULT_CLEAN, and EtwpEventWriteFull to a stub that returns immediately, effectively disabling AMSI scanning and ETW logging.

Detection & mitigation

Monitor for modifications to AMSI-related functions (e.g., AmsiScanBuffer) in memory, such as inline hooks or trampolines, using integrity checks or kernel callbacks. Deploy AMSI provider hardening and enable tamper protection to prevent unauthorized patching.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.