Bypass Record

AMSI Bypass × Microsoft Windows AMSI

A publicly-reported instance of AMSI Bypass bypassing Microsoft Windows AMSI, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows AMSI

Technique

AMSI Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2026-01-13

Config / version noted

Not stated

Provenance

medium.com
disclosed 2026-01-13 · original source · via brave
zelev.medium.com
disclosed 2026-03-12 · original source · via exa

Reported as

defeats AMSI-integrated AV/EDR script content inspection without triggering detection

Mechanism

Uses .NET reflection to locate and modify the 'amsiInitFailed' field in the AMSI runtime, setting it to true to disable scanning. This defeats AMSI-integrated AV/EDR script content inspection without triggering detection.

Detection & mitigation

Monitor for .NET reflection usage targeting AMSI-related classes or methods (e.g., System.Reflection.Assembly.GetType on AmsiUtils, or setting amsiInitFailed field) via ETW or script block logging. Mitigation: Enable AMSI provider integrity checks and consider application control to restrict untrusted .NET/script execution.

AMSI Bypass has also been recorded against

Any security vendor relying on AMSI CrowdStrike McAfee Palo Alto Networks SentinelOne Sophos Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.