Bypass Record

AMSI Bypass × Microsoft AMSI

A publicly-reported instance of AMSI Bypass bypassing Microsoft AMSI, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft AMSI

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

in the wild

Disclosed

2025-10-17

Config / version noted

Not stated

Provenance

blog.ukatemi.com
disclosed 2025-10-17 · original source · via exa

Reported as

patching EtwEventWrite in ntdll.dll to return immediately

Mechanism

Loaders use LoadLibrary/GetProcAddress to locate AmsiScanBuffer in amsi.dll, then VirtualProtect to make it writable, and overwrite the first instructions with shellcode that returns E_INVALIDARG or zeros the buffer length via xor edi,edi. ETW is disabled by patching EtwEventWrite in ntdll.dll to return immediately. Some variants use EggHunter to locate AmsiScanBuffer by scanning from DllCanUnloadNow.

Detection & mitigation

Monitor for suspicious use of VirtualProtect or WriteProcessMemory on AMSI-related DLLs (e.g., amsi.dll) and ETW-related functions (e.g., EtwEventWrite in ntdll.dll) from non-Microsoft or unsigned processes. Deploy AMSI provider integrity checks and enable Windows Defender Attack Surface Reduction rules to block common patching techniques.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.