Bypass Record

AMSI Bypass × Microsoft Windows Defender

A publicly-reported instance of AMSI Bypass bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2023-07-19

Config / version noted

Not stated

Provenance

github.com
disclosed 2023-07-30 · original source · via exa
github.com
disclosed 2023-07-19 · original source · via exa
github.com
disclosed 2023-07-19 · original source · via raw

Reported as

AmsiScanBuffer patch successfully evades detection for Assembly.Load() calls

Mechanism

The technique patches the AmsiOpenSession function by setting the RCX register to 0, causing it to return E_INVALIDARG. Alternatively, patching AmsiScanBuffer sets RAX to E_INVALIDARG and returns immediately, bypassing scanning. The AmsiScanBuffer method defeats AMSI for .NET Assembly.Load() calls.

Detection & mitigation

Monitor for suspicious memory modifications to AMSI-related DLLs (e.g., amsi.dll) using kernel callbacks or ETW providers like Microsoft-Windows-Threat-Intelligence. Deploy endpoint detection rules that alert on WriteProcessMemory or NtWriteVirtualMemory calls targeting AMSI functions, and enforce Windows Defender Application Control (WDAC) to restrict untrusted code execution.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.