Windows Defender AMSI Trigger Detected

Detects triggering of AMSI by Windows Defender.

Sigma rule (View on GitHub)

 1title: Windows Defender AMSI Trigger Detected
 2id: ea9bf0fa-edec-4fb8-8b78-b119f2528186
 3status: stable
 4description: Detects triggering of AMSI by Windows Defender.
 5references:
 6    - https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps
 7author: Bhabesh Raj
 8date: 2020-09-14
 9modified: 2022-12-07
10tags:
11    - attack.execution
12    - attack.t1059
13logsource:
14    product: windows
15    service: windefend
16detection:
17    selection:
18        EventID: 1116 # The antimalware platform detected malware or other potentially unwanted software.
19        SourceName: 'AMSI'
20    condition: selection
21falsepositives:
22    - Unlikely
23level: high

References

Related rules

to-top