Windows Defender AMSI Trigger Detected

 1title: Windows Defender AMSI Trigger Detected
 2id: ea9bf0fa-edec-4fb8-8b78-b119f2528186
 3status: stable
 4description: Detects triggering of AMSI by Windows Defender.
 5references:
 6    - https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps
 7author: Bhabesh Raj
 8date: 2020-09-14
 9modified: 2022-12-07
10tags:
11    - attack.execution
12    - attack.t1059
13logsource:
14    product: windows
15    service: windefend
16detection:
17    selection:
18        EventID: 1116 # The antimalware platform detected malware or other potentially unwanted software.
19        SourceName: 'AMSI'
20    condition: selection
21falsepositives:
22    - Unlikely
23level: high

References

• How AMSI helps you defend against malware - Win32 apps

  

  As an application developer, you can actively participate in malware defense. Specifically, you can help protect your customers from dynamic script-based malware, and from non-traditional avenues of cyber attack.

  
  Read More

Related rules

• Abusable DLL Potential Sideloading From Suspicious Location
• Add Insecure Download Source To Winget
• Add New Download Source To Winget
• Atlassian Confluence CVE-2022-26134
• Azure New CloudShell Created