This note documents detection patterns related to AMSI Bypass within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| PowerShell | 4104 | Script block logging | Critical | AMSI bypass strings often visible before suppression succeeds. |
| Security | 4688 | Process creation | Critical | Detects PowerShell and loader execution. |
| Sysmon | 1 | Process creation | Critical | Best lineage source for bypass chains. |
| Sysmon | 7 | Image loaded | High | Suspicious memory patching helpers / DLL loads. |
| Sysmon | 10 | Process access | High | Memory writes into scripting processes. |
| Sysmon | 11 | File create | Medium | Loader dropped before bypass. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Known AMSI strings | AmsiUtils, amsi.dll, AmsiScanBuffer | Critical | Classic bypass footprint. |
| Reflection patching | Memory write to AMSI function | Critical | Strong evasion clue. |
| PowerShell suddenly loses telemetry depth | Reduced visibility | Critical | Operational symptom. |
| Encoded PowerShell before suspicious execution | Staged bypass | Critical | Common attacker pattern. |
| DLL patching in script host | AMSI disabled in runtime | High | Valuable anomaly. |
| Loader then script execution | Staged evasion chain | High | Strong sequence |
Common Tools
| Tool | Usage |
|---|---|
| PowerShell | Reflection AMSI bypass |
| Cobalt Strike | Built-in AMSI bypass |
| custom loaders | In-memory AMSI patching |
| .NET loaders | Reflection-based suppression |
Relevant Artifacts
- PowerShell 4104
- Security Event ID 4688
- Sysmon Event IDs 1, 7, 10, 11
- Strings:
AmsiScanBufferamsi.dllAmsiUtils
- Process memory context
- EDR script telemetry
MITRE ATT&CK References
- T1562.001 Impair Defenses
Decision Tree
-
Which process?
- powershell
- wscript
- loader
-
Which bypass style?
- Reflection
- Patch
- DLL tamper
-
Script observed before suppression?
- Encoded
- Plaintext
- Loader chain
-
Follow-on execution?
- Payload
- Injection
- Download
-
Expand:
- Defender tampering
- ETW tampering
- LOLBIN chain
-
Scope:
- Single bypass
- Repeated framework behavior
- Campaign pattern
Example Detection Templates
KQL
PowerShell
| where EventID == 4104
| where ScriptBlockText has_any ("AmsiUtils","AmsiScanBuffer","amsi.dll")
| project TimeGenerated, Computer, ScriptBlockText
SecurityEvent
| where EventID == 4688
| where NewProcessName endswith "powershell.exe"
| project TimeGenerated, Computer, CommandLine
EQL
process where process.command_line like "*Amsi*"
sequence by host.name with maxspan=5m
[ process where process.name == "powershell.exe" ]
[ process where process.command_line like "*Amsi*" ]
Sigma
title: AMSI Bypass Detection
id: 2b7d5a12-amsi-bypass
status: experimental
description: Detects common AMSI bypass strings in PowerShell
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: powershell
detection:
selection:
ScriptBlockText|contains:
- 'AmsiUtils'
- 'AmsiScanBuffer'
- 'amsi.dll'
condition: selection
fields:
- ScriptBlockText
falsepositives:
- Security research
level: high
tags:
- attack.defense_evasion
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Preserve 4104 | Critical visibility | Critical | Core AMSI signal |
| Alert on AMSI strings | Low false positives | Critical | High-value detection |
| Watch memory tampering | Patch detection | High | Strong enrichment |
| Correlate with payload launch | Confirm malicious chain | Critical | Strong triage |
| Harden PowerShell policy | Reduce abuse | High | Prevent execution |