AMSI Bypass × Palo Alto Networks Cortex XDR

A publicly-reported instance of AMSI Bypass bypassing Palo Alto Networks Cortex XDR, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Palo Alto Networks Cortex XDR

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2025-04-15

Config / version noted

Not stated

Provenance

github.com
disclosed 2025-04-15 · original source · via exa

Reported as

tested successfully against Cortex XDR

Mechanism

Patches AmsiScanBuffer in clr.dll to zero out the global_pAmsiContext check, preventing AMSI from flagging content as malicious. Also patches NtTraceEvent in ntdll.dll to bypass ETW. Uses direct syscalls to avoid userland hooks and RC4 encryption for payload obfuscation.

Detection & mitigation

Monitor for suspicious modifications to AmsiScanBuffer in clr.dll (e.g., via in-memory patching or hooking) using EDR memory integrity checks or kernel callbacks. Deploy AMSI provider integrity validation and enable Windows Defender Attack Surface Reduction rules to block tampering.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Microsoft SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.