Windows Defender AMSI Trigger Detected

 1title: Windows Defender AMSI Trigger Detected
 2id: ea9bf0fa-edec-4fb8-8b78-b119f2528186
 3status: stable
 4description: Detects triggering of AMSI by Windows Defender.
 5references:
 6    - https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps
 7author: Bhabesh Raj
 8date: 2020/09/14
 9modified: 2022/12/07
10tags:
11    - attack.execution
12    - attack.t1059
13logsource:
14    product: windows
15    service: windefend
16detection:
17    selection:
18        EventID: 1116 # The antimalware platform detected malware or other potentially unwanted software.
19        SourceName: 'AMSI'
20    condition: selection
21falsepositives:
22    - Unlikely
23level: high

References

• How AMSI helps you defend against malware - Win32 apps

  

  As an application developer, you can actively participate in malware defense. Specifically, you can help protect your customers from dynamic script-based malware, and from non-traditional avenues of cyber attack.

  
  Read More

Related rules

• Add Potential Suspicious New Download Source To Winget
• Elevated System Shell Spawned From Uncommon Parent Location
• Windows Defender Threat Detected
• Fsutil Behavior Set SymlinkEvaluation
• CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)