Bypass Record

AMSI Bypass × Microsoft Windows Defender

A publicly-reported instance of AMSI Bypass bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2023-10-06

Config / version noted

Not stated

Provenance

github.com
disclosed 2023-10-06 · original source · via exa
github.com
disclosed 2023-10-06 · original source · via raw

Reported as

GuardBypassToolkit bypasses Windows Defender by manually loading DLLs... hooking AmsiScanBuffer to return AMSI_RESULT_CLEAN

Mechanism

The tool manually loads PE files into memory, parses EAT to find function addresses, and hooks AmsiScanBuffer via absolute EAT hooking to return AMSI_RESULT_CLEAN. This prevents Defender from detecting malicious memory operations. LSASS dumping uses a callback to MiniDumpWriteDump with NULL file handle, encrypting and storing the dump in memory.

Detection & mitigation

Monitor for suspicious modifications to the AMSI AmsiScanBuffer function in memory, such as inline hooks or IAT/EAT patching, using endpoint detection tools that track integrity of security-related DLLs. Deploy AMSI provider integrity checks and enable Windows Defender Attack Surface Reduction rules to block tampering attempts.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.