Bypass Record

AMSI Bypass × Microsoft Windows Defender

A publicly-reported instance of AMSI Bypass bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2026-05-21

Config / version noted

Not stated

Provenance

www.tiraniddo.dev
disclosed 2026-05-21 · original source · via exa

Reported as

AMSI initialization to fail silently while scripts continue to run uninspected

Mechanism

When WSH initializes a script engine (JScript/VBScript), it loads AMSI.DLL from SYSTEM32 using LoadLibraryEx with LOAD_LIBRARY_SEARCH_SYSTEM32. However, LoadLibrary first checks if a module with the same name is already loaded. By copying WSCRIPT.EXE to AMSI.DLL and launching it via CreateProcess (e.g., WScript.Shell.Exec), the main executable image is named AMSI.DLL. When the engine later calls LoadLibraryEx("amsi.dll"), it finds the already-loaded executable (which lacks AmsiInitialize export), causing AMSI initialization to fail, but the script engine continues execution without AMSI scanning.

Detection & mitigation

Monitor for process creation events where the Image or ParentImage is a renamed WSCRIPT.EXE (e.g., AMSI.DLL) or where a process named AMSI.DLL has an OriginalFileName of WSCRIPT.EXE. Deploy application control policies to block execution of WSCRIPT.EXE from non-standard paths or with non-standard names.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.