Understanding AMSI bypass techniques

Nicholas Koken
April 4, 2024

As attack techniques evolve to outpace defenders, one area growing in prominence is circumventing known threat detection methods. One example is bypassing the Anti-Malware Scan Interface, or AMSI. Let’s explore how attackers can bypass AMSI and how organizations can defend against these types of attacks.

What is AMSI?

Created by Microsoft, AMSI interfaces between the system and the user to scan applications, user-generated data, and other services for evidence of malware. Although designed with Windows Defender in mind, AMSI works with any endpoint security solution. AMSI primarily scans:

  • PowerShell scripts: AMSI scans PowerShell in real time for evidence of malicious or otherwise anomalous scripts
  • Microsoft Office macros: Although natively blocked in the newest versions of Office, macros can contain malicious scripts that activate when run, which AMSI scans and blocks as needed.
  • Windows-supported scripting languages: JavaScript and other similar languages that are used by web browsers to automate tasks can also contain malicious code embeds that AMSI scans.

Techniques for bypassing AMSI

Despite being a crucial layer of defense against ransomware, fileless attacks, and other kinds of malware, attackers can still find ways to slip past AMSI undetected. Here are some ways AMSI is being exploited by today’s threat actors.

  • Obfuscation: Through clever code manipulation, attackers can disguise malicious scripts as normal ones, or otherwise encode their payloads so AMSI can’t identify them.
  • Memory patching: This technique targets AMSI itself, remapping the memory allocated for its scans to disable it from working and blinding it from incoming attacks.
  • Exploiting weaknesses: By finding mistakes in AMSI implementation or integration with an endpoint security solution, attackers can subvert AMSI altogether.
  • Legitimate scripts: Using known scripts, adversaries can create attack strings that pass by AMSI without raising alarms.  

Watch this demo to see how these techniques work in action.

How Todyl defends against AMSI bypass

Todyl’s Endpoint Security solution is tuned to detect many of these instances of AMSI bypass. Using detection logic that doesn’t rely on AMSI, Todyl can identify anomalies that indicate ransomware, malware, and in-memory attacks, even if they’ve bypassed AMSI already. Then, in Todyl’s managed cloud SIEM, you can see which systems were affected in real time, with case bucketing logic that correlates and groups events by severity.  

Beyond these, Todyl’s MXDR team monitors your entire environment, with human analysts examining every alert on top of the automated analysis done by the product. That way, nothing slips through the cracks, and your organization remains protected from AMSI bypass and many other forms of attack 24x7.

Learn more

See how Todyl can help you defend in depth against AMSI and many other prominent attack vectors. Book a demo today.

Stay up to date

Subscribe to receive the latest insights, news, and updates from Todyl.

Additional reading

Todyl Success Story: IT Haven improves client satisfaction and security through consolidation
Calculating Cyber Risk Appetite
Breaking down the cyberattack lifecycle: Monetization

Todyl updates

Sign-up to get the latest from Todyl sent straight to your inbox.