Bypass Record

AMSI Bypass × Microsoft AMSI

A publicly-reported instance of AMSI Bypass bypassing Microsoft AMSI, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft AMSI

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2026-05-16

Config / version noted

Not stated

Provenance

infosecwriteups.com
disclosed 2026-05-21 · original source · via brave
github.com
disclosed 2026-05-16 · original source · via exa

Reported as

PowerShell script that bypasses the Antimalware Scan Interface (AMSI) by patching the AmsiScanBuffer function in memory

Mechanism

The PowerShell script locates the AmsiScanBuffer function in amsi.dll, overwrites its beginning with a return instruction (patch), and then executes arbitrary PowerShell code without AMSI inspection. AI was used to generate, debug, and optimize the bypass code.

Detection & mitigation

Monitor for PowerShell script block logging (Event ID 4104) containing patterns indicative of AMSI patching, such as memory manipulation of amsi.dll or AmsiScanBuffer. Deploy AMSI itself and enable deep script block logging; use application control to restrict unsigned or suspicious PowerShell scripts.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.