Bypass Record
AMSI Bypass × Microsoft Windows AMSI
A publicly-reported instance of AMSI Bypass bypassing Microsoft Windows AMSI, recorded with its original source. Factual record; no assessment of any specific deployment.
Reported as
PowerShell uses .NET reflection to access the internal AmsiUtils class and set the private static field amsiInitFailed to true, causing AMSI to assume initialization failure and stop scanning scripts.
Mechanism
PowerShell uses .NET reflection to access the internal AmsiUtils class and set the private static field amsiInitFailed to true, causing AMSI to assume initialization failure and stop scanning scripts. Subsequently, a temporary .cmdline file is created, and csc.exe (C# compiler) is invoked to compile and execute a payload in memory, with cvrtres.exe involved in resource conversion, all without dropping a traditional malware binary.
Detection & mitigation
Monitor for PowerShell script block logging (Event ID 4104) containing 'amsiInitFailed' or reflection on 'AmsiUtils', and Sysmon Event ID 1 for csc.exe spawning with suspicious command lines (e.g., compiling from a temporary .cmdline file). Mitigate by enabling AMSI and PowerShell Constrained Language Mode, and restricting csc.exe execution via AppLocker or WDAC.
This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.