AMSI Bypass
What is AMSI Bypass?
AMSI BypassTechniques that disable, patch, or evade the Windows Antimalware Scan Interface so that scripts and in-memory payloads are not inspected by antivirus engines.
The Antimalware Scan Interface (AMSI) lets PowerShell, JavaScript, VBScript, .NET, and Office macros submit buffers to a registered antivirus for scanning before execution. AMSI bypasses neutralise this control, for example by patching amsi.dll!AmsiScanBuffer in memory to always return clean, hooking CLR functions, clearing the amsiInitFailed field on PowerShell's AmsiUtils, splitting and obfuscating strings, or downgrading to PowerShell v2. The goal is to run malicious scripts (Mimikatz, Invoke-Mimikatz, Cobalt Strike beacons) inside a trusted host process without alerting Defender or other engines. MITRE ATT&CK aligns these with T1562.001 (Impair Defenses: Disable or Modify Tools). Defences include AMSI providers tied to EDR, ASR rules, PowerShell constrained-language mode, AppLocker, and detection of unsigned memory patches in lsass-adjacent processes.
● Examples
- 01
Patching the first bytes of AmsiScanBuffer in memory so it always returns AMSI_RESULT_CLEAN.
- 02
Setting [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true).
● Frequently asked questions
What is AMSI Bypass?
Techniques that disable, patch, or evade the Windows Antimalware Scan Interface so that scripts and in-memory payloads are not inspected by antivirus engines. It belongs to the Attacks & Threats category of cybersecurity.
What does AMSI Bypass mean?
Techniques that disable, patch, or evade the Windows Antimalware Scan Interface so that scripts and in-memory payloads are not inspected by antivirus engines.
How does AMSI Bypass work?
The Antimalware Scan Interface (AMSI) lets PowerShell, JavaScript, VBScript, .NET, and Office macros submit buffers to a registered antivirus for scanning before execution. AMSI bypasses neutralise this control, for example by patching amsi.dll!AmsiScanBuffer in memory to always return clean, hooking CLR functions, clearing the amsiInitFailed field on PowerShell's AmsiUtils, splitting and obfuscating strings, or downgrading to PowerShell v2. The goal is to run malicious scripts (Mimikatz, Invoke-Mimikatz, Cobalt Strike beacons) inside a trusted host process without alerting Defender or other engines. MITRE ATT&CK aligns these with T1562.001 (Impair Defenses: Disable or Modify Tools). Defences include AMSI providers tied to EDR, ASR rules, PowerShell constrained-language mode, AppLocker, and detection of unsigned memory patches in lsass-adjacent processes.
How do you defend against AMSI Bypass?
Defences for AMSI Bypass typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for AMSI Bypass?
Common alternative names include: AMSI evasion.
● Related terms
- attacks№ 632
LOLBin / LOLBAS
A signed, native binary or script (LOLBin/LOLBAS) that attackers misuse for execution, download, persistence, or bypass while looking like a legitimate admin tool.
- attacks№ 616
Living off the Land
An attacker tradecraft style that abuses legitimate, pre-installed tools and scripts on a victim system instead of dropping custom malware.
- malware№ 417
Fileless Malware
Malware that runs primarily in memory and leverages trusted system tools, avoiding the use of traditional executable files on disk.
- defense-ops№ 298
Defense Evasion
The MITRE ATT&CK tactic (TA0005) covering techniques attackers use to avoid detection, disable security tools, and hide their activity on a target system.
- defense-ops№ 682
Mimikatz
An open-source Windows post-exploitation tool that extracts plaintext passwords, hashes, Kerberos tickets, and other credentials from memory and LSASS.
- defense-ops№ 371
EDR (Endpoint Detection and Response)
An endpoint security technology that continuously records process, file, registry and network activity to detect, investigate and respond to threats on hosts.