Windows AMSI Related Registry Tampering Via CommandLine

calendar Jan 29, 2026 · attack.defense-evasion attack.t1562.001 attack.t1562.006  ·
Share on: linkedin copy

Detects tampering of AMSI (Anti-Malware Scan Interface) related registry values via command line tools such as reg.exe or PowerShell. AMSI provides a generic interface for applications and services to integrate with antimalware products. Adversaries may disable AMSI to evade detection of malicious scripts and code execution.

Sigma rule (View on GitHub)

 1title: Windows AMSI Related Registry Tampering Via CommandLine
 2id: 7dbbcac2-57a0-45ac-b306-ff30a8bd2981
 3related:
 4    - id: aa37cbb0-da36-42cb-a90f-fdf216fc7467 # AMSI Disabled via Registry Modification
 5      type: similar
 6status: experimental
 7description: |
 8    Detects tampering of AMSI (Anti-Malware Scan Interface) related registry values via command line tools such as reg.exe or PowerShell.
 9    AMSI provides a generic interface for applications and services to integrate with antimalware products.
10    Adversaries may disable AMSI to evade detection of malicious scripts and code execution.    
11references:
12    - https://github.com/arttoolkit/arttoolkit.github.io/blob/16d6230d009e58fd6f773f5317fd4d14c1f26004/_wadcoms/AMSI-Bypass-Jscript_amsienable.md
13    - https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d
14    - https://www.mdsec.co.uk/2019/02/macros-and-more-with-sharpshooter-v2-0/
15author: Swachchhanda Shrawan Poudel (Nextron Systems)
16date: 2025-12-25
17tags:
18    - attack.defense-evasion
19    - attack.t1562.001
20    - attack.t1562.006
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection_key:
26        CommandLine|contains|all:
27            - '\Software\Microsoft\Windows Script\Settings'
28            - 'AmsiEnable'
29    selection_reg_img:
30        - Image|endswith: '\reg.exe'
31        - OriginalFileName: 'reg.exe'
32    selection_reg_cmd:
33        CommandLine|contains: 'add'
34    selection_powershell_img:
35        - Image|endswith:
36              - '\powershell.exe'
37              - '\pwsh.exe'
38        - OriginalFileName:
39              - 'PowerShell.EXE'
40              - 'pwsh.dll'
41    selection_powershell_cmd:
42        CommandLine|contains:
43            - 'Set-ItemProperty'
44            - 'New-ItemProperty'
45            - 'sp '
46    condition: selection_key and (all of selection_powershell_* or all of selection_reg_*)
47falsepositives:
48    - Unknown
49level: high
50regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_amsi_registry_tampering/info.yml
51simulation:
52    - type: atomic-red-team
53      name: AMSI Bypass - Create AMSIEnable Reg Key
54      technique: T1562.001
55      atomic_guid: 728eca7b-0444-4f6f-ac36-437e3d751dc0

References

Related rules

to-top