Bypass Record

AMSI Bypass × Microsoft Defender for Endpoint

A publicly-reported instance of AMSI Bypass bypassing Microsoft Defender for Endpoint, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender for Endpoint

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2025-12-28

Config / version noted

Not stated

Provenance

medium.com
disclosed 2025-12-28 · original source · via brave

Reported as

The technique prevents MDE's AMSI integration from scanning script content

Mechanism

The bypass targets how MDE loads its AMSI provider DLL (MpOav.dll). By manipulating the provider registration or loading process, the technique prevents MDE's AMSI provider from being invoked when scripts are submitted for scanning, effectively disabling AMSI-based inspection for MDE without disabling AMSI entirely.

Detection & mitigation

Monitor for unexpected AMSI provider registration changes or failures to load MpOav.dll, such as missing or tampered registry keys under HKLM\SOFTWARE\Microsoft\AMSI\Providers. Mitigation: enforce tamper protection, restrict administrative privileges, and use endpoint detection rules that alert on AMSI provider load failures or suspicious script host behavior.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.