Bypass Record

AMSI Bypass × Microsoft Windows AMSI

A publicly-reported instance of AMSI Bypass bypassing Microsoft Windows AMSI, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows AMSI

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2024-10-20

Config / version noted

Not stated

Provenance

github.com
disclosed 2024-10-20 · original source · via exa

Reported as

bypasses the Antimalware Scan Interface (AMSI) by intercepting the loading of amsi.dll ... preventing AMSI initialization and thus disabling script content scanning

Mechanism

Intercepts LdrLoadDll (the final loader for LoadLibrary calls) to detect when amsi.dll is being loaded. When amsi.dll is requested, the technique returns an 'Access Denied' error, causing AMSI initialization to fail. This is achieved either by inserting an unconditional jump (hooking) to a custom LdrLoadDll that checks the DLL name, or by setting a hardware breakpoint on LdrLoadDll and in the exception handler checking the r8 register (third argument, dllName) for 'amsi.dll', then modifying the return address and rax to simulate failure. This bypasses AMSI because the CLR's AmsiScanBuffer check returns 'not detected' if amsi.dll fails to load.

Detection & mitigation

Monitor for failed loads of amsi.dll (e.g., via Sysmon Event ID 7 with ImageLoaded events where SignatureStatus is 'Unavailable' or load failures logged by AMSI itself). Deploy AMSI provider integrity checks and use endpoint detection rules that alert on LdrLoadDll hooking or hardware breakpoint modifications.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.