DetectionHunter
back to roadmap
Phase 3·T1562.001·Advanced

Detecting AMSI Bypass Attempts

Identify in-script AMSI tampering patterns.

#PowerShell#Advanced#ATT&CK

Detection Objective

Match known AMSI bypass strings via Script Block Logging.

Real-World Attack Scenario

Adversary patches amsi.dll!AmsiScanBuffer to neutralize AV inspection.

Why This Detection Matters

AMSI bypass is a defining behavior of advanced PowerShell tradecraft.

ATT&CK Mapping

T1562.001 · Impair Defenses
Tactic: Defense Evasion

Required Telemetry

  • PowerShell4104 Script Block Logging
Windows Event IDs
4104
Sysmon Event IDs
Wazuh Log Source
Microsoft-Windows-PowerShell/Operational

Setup Steps

  1. Enable Script Block Logging and forward to Wazuh.

Safe Validation Command

Log an inert string matching a known bypass token (no patching).
powershell.exe -c "Write-Host 'detection-test: amsiInitFailed reference'"
⚠ lab use only · this project does not execute real malware

Expected Log Output

EventID 4104 ScriptBlockText contains 'amsiInitFailed'

Detection Logic (Wazuh rule concept)

ScriptBlockText matches /(?i)(amsiInitFailed|AmsiScanBuffer|amsi\.dll|System\.Management\.Automation\.AmsiUtils)/

False Positives

  • Security tool authors testing AMSI

Tuning Recommendations

  • Allowlist by signing thumbprint of the script.

Analyst Triage Notes

  • Capture the full script body and the host's AMSI provider state.

Detection Improvement Ideas

  • Add ETW-based amsi.dll integrity check.

log analysis layer

Detection is not complete until the logs prove what happened. The sections below show the telemetry produced by the validation above, how to read it like an analyst, and why this pattern matters.

siem · log evidence
rule 100329
Detecting AMSI Bypass Attempts
Microsoft-Windows-PowerShell/Operational
Event ID
Windows EID 4104
Image
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Parent
C:\Windows\explorer.exe
CommandLine
powershell.exe -c "Write-Host 'detection-test: amsiInitFailed reference'"
User
CORP\j.doe
Agent
WIN10-LAB-01
Timestamp
2026-05-26T14:32:11Z
analyst note
Capture the full script body and the host's AMSI provider state.

Parent → Child Analysis

explorer.exe → powershell.exe — review whether this lineage is expected for WIN10-LAB-01 and user CORP\j.doe.

Command-Line Flags Observed

  • (no high-risk flags in this test)
    Signal value comes from context (parent, network, persistence) rather than flags.

Parsed Fields the Analyst Reads

  • ImageProcess binary that executed — confirms PowerShell.
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  • ParentImageWho launched it — context for legitimacy.
    C:\Windows\explorer.exe
  • CommandLineArguments — where attacker intent shows up.
    powershell.exe -c "Write-Host 'detection-test: amsiInitFailed reference'"
  • UserAccount context — service vs interactive vs SYSTEM.
    CORP\j.doe
  • EventIDTelemetry channel and event type.
    Windows EID 4104
  • Wazuh Rule IDRule that matched and produced this alert.
    100329
  • AgentEndpoint that produced the telemetry.
    WIN10-LAB-01
  • TimestampWhen it happened — anchor for correlation.
    2026-05-26T14:32:11Z

Malicious Pattern

pattern
AMSI Bypass Attempts
description
Adversary patches amsi.dll!AmsiScanBuffer to neutralize AV inspection.
analyst takeaway
AMSI bypass is a defining behavior of advanced PowerShell tradecraft. Treat this signal as higher-risk when combined with suspicious parents, hidden windows, download cradles, or unusual user context.

proof the detection worked

test command
powershell.exe -c "Write-Host 'detection-test: amsiInitFailed reference'"
expected event
Windows EID 4104 on WIN10-LAB-01 with Image=powershell.exe and the validation command above in CommandLine.
expected wazuh alert
Wazuh rule 100329 — "Detecting AMSI Bypass Attempts" fires at a level matching severity=high.
confirming log fields
ImageParentImageCommandLineUserEventID
analyst interpretation
The recorded fields satisfy every clause of the detection logic. Parent process, user context, and command-line arguments together prove the behavior was observed end to end.
conclusion
Detection succeeded: telemetry was captured, the rule matched, and the alert reached the analyst with enough context to triage.