BIPI
BIPI

AMSI, ETW, and PowerShell Logging Bypass for Red Teams

Cybersecurity

Three telemetry surfaces stand between PowerShell tradecraft and the SOC: AMSI, ETW, and Script Block Logging. A practical bypass catalogue with code, plus the detections that still catch every variant.

By Arjun Raghavan, Security & Systems Lead, BIPI · April 23, 2025 · 11 min read

#amsi#etw#powershell#red-team#evasion

The three telemetry surfaces

  • AMSI: in-process content scanning, called by powershell.exe, wscript, Office
  • ETW: kernel and user-mode event tracing, drives most EDR sensors
  • PowerShell logging: Module, Script Block (4104), and Transcription

AMSI bypass family

AMSI is a thin DLL (amsi.dll) loaded in-process. Because attackers control the process, AMSI is bypassable by definition. Microsoft plays whack-a-mole with signatures of the bypass strings.

ETW patching

ETW providers feed sensors like Defender for Endpoint, Sysmon, and Elastic. Patching EtwEventWrite in ntdll silences a process's outbound telemetry without disabling ETW globally. Loud to a kernel sensor, invisible to user-mode-only ones.

Script Block Logging (4104) evasion

  • Encoded one-liners still log decoded content via 4104
  • Use legitimate cmdlets only; move payload into a C# in-memory loader
  • Concatenation and reflection delay AST capture but rarely defeat it
  • Best bet: do not run PowerShell. Use C# via Add-Type or a custom runspace

Custom runspaces

A custom .NET runspace executes PowerShell without spawning powershell.exe. AMSI still loads inside the host process, but Module and Script Block logging tied to powershell.exe do not fire. This is why C2 frameworks like Cobalt Strike and Sliver embed their own runspaces.

PowerShell v2 downgrade

PowerShell 2 has no AMSI and no Script Block Logging. Microsoft has been removing the engine. On modern Server 2022 and Win11 it is gone, but plenty of legacy fleets still ship it.

Detection that survives bypass

  • Event 400/403 (engine state) catches PowerShell v2 downgrade
  • Sysmon Event 7 (image load) of amsi.dll into non-host processes
  • ETW SilkETW or KrabsETW to consume providers from a sensor process
  • Defender for Endpoint AMSI tamper detection (cloud-side correlation)
  • Memory scanning by Defender ATP catches in-process patches post hoc

Hardening

  • Remove PowerShell v2 engine (Disable-WindowsOptionalFeature MicrosoftWindowsPowerShellV2)
  • Enable Constrained Language Mode for non-admins (WDAC plus AppLocker)
  • Force JEA (Just Enough Administration) on admin shells
  • Enable Script Block Logging via GPO and ship 4104 to SIEM
  • Defender ASR "Block all Office applications from creating child processes"
100+
Public AMSI bypass variants on GitHub
seconds
Time for Defender to flag a known bypass string
growing fast
Engagements where C# replaces PowerShell entirely
AMSI and ETW are speed bumps. The real wall is centralized 4104 logging plus WDAC.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.