Windows AMSI Related Registry Tampering Via CommandLine

calendar Apr 28, 2026 · attack.defense-impairment attack.t1685  ·
Share on: linkedin copy

Detects tampering of AMSI (Anti-Malware Scan Interface) related registry values via command line tools such as reg.exe or PowerShell. AMSI provides a generic interface for applications and services to integrate with antimalware products. Adversaries may disable AMSI to evade detection of malicious scripts and code execution.

Sigma rule (View on GitHub)

 1title: Windows AMSI Related Registry Tampering Via CommandLine
 2id: 7dbbcac2-57a0-45ac-b306-ff30a8bd2981
 3related:
 4    - id: aa37cbb0-da36-42cb-a90f-fdf216fc7467 # AMSI Disabled via Registry Modification
 5      type: similar
 6status: experimental
 7description: |
 8    Detects tampering of AMSI (Anti-Malware Scan Interface) related registry values via command line tools such as reg.exe or PowerShell.
 9    AMSI provides a generic interface for applications and services to integrate with antimalware products.
10    Adversaries may disable AMSI to evade detection of malicious scripts and code execution.    
11references:
12    - https://github.com/arttoolkit/arttoolkit.github.io/blob/16d6230d009e58fd6f773f5317fd4d14c1f26004/_wadcoms/AMSI-Bypass-Jscript_amsienable.md
13    - https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d
14    - https://www.mdsec.co.uk/2019/02/macros-and-more-with-sharpshooter-v2-0/
15author: Swachchhanda Shrawan Poudel (Nextron Systems)
16date: 2025-12-25
17tags:
18    - attack.defense-impairment
19    - attack.t1685
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_key:
25        CommandLine|contains|all:
26            - '\Software\Microsoft\Windows Script\Settings'
27            - 'AmsiEnable'
28    selection_reg_img:
29        - Image|endswith: '\reg.exe'
30        - OriginalFileName: 'reg.exe'
31    selection_reg_cmd:
32        CommandLine|contains: 'add'
33    selection_powershell_img:
34        - Image|endswith:
35              - '\powershell.exe'
36              - '\pwsh.exe'
37        - OriginalFileName:
38              - 'PowerShell.EXE'
39              - 'pwsh.dll'
40    selection_powershell_cmd:
41        CommandLine|contains:
42            - 'Set-ItemProperty'
43            - 'New-ItemProperty'
44            - 'sp '
45    condition: selection_key and (all of selection_powershell_* or all of selection_reg_*)
46falsepositives:
47    - Unknown
48level: high
49regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_amsi_registry_tampering/info.yml
50simulation:
51    - type: atomic-red-team
52      name: AMSI Bypass - Create AMSIEnable Reg Key
53      technique: T1562.001
54      atomic_guid: 728eca7b-0444-4f6f-ac36-437e3d751dc0

References

Related rules

to-top