AMSI-PATCHDefense Evasion

AMSI In-Memory Patch

Patch AmsiScanBuffer in amsi.dll memory to return clean — PowerShell / VBA / .NET runtime emits content unscanned.

§ Where this technique fits

AMSI-PATCH is catalogued under the Defense Evasion tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

AMSI patch → in-memory .NET / PowerShell stager
Patch AmsiScanBuffer in amsi.dll → return clean for any content. Subsequent PowerShell / Office VBA / .NET runtime calls emit attacker code without scanning.
step 2 / 6

§ What commonly comes next

01
ETW Event-Tracing Patch
ETW-PATCH · Defense Evasion
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

AMSI patch → in-memory .NET / PowerShell stager

§ What commonly comes next