Potential Persistence Via New AMSI Providers - Registry

 1title: Potential Persistence Via New AMSI Providers - Registry
 2id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f705
 3status: test
 4description: Detects when an attacker registers a new AMSI provider in order to achieve persistence
 5references:
 6    - https://persistence-info.github.io/Data/amsi.html
 7    - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022/07/21
10modified: 2023/02/07
11tags:
12    - attack.persistence
13logsource:
14    category: registry_add
15    product: windows
16detection:
17    selection:
18        EventType: CreateKey
19        TargetObject|contains:
20            - '\SOFTWARE\Microsoft\AMSI\Providers\'
21            - '\SOFTWARE\WOW6432Node\Microsoft\AMSI\Providers\'
22    filter:
23        Image|startswith:
24            - 'C:\Windows\System32\'
25            - 'C:\Program Files\'
26            - 'C:\Program Files (x86)\'
27    condition: selection and not filter
28falsepositives:
29    - Legitimate security products adding their own AMSI providers. Filter these according to your environment
30level: high

References

• AMSI Providers

  AMSI Providers Location: HKLM\SOFTWARE\Microsoft\AMSI\Providers HKLM\SOFTWARE\Classes\CLSID Classification: Criteria Value Permissions Admin Security context User; System Persistence type Registry ...

  
  Read More

• PSBits/FakeAMSI/FakeAMSI.c at 8d767892f3b17eefa4d0668f5d2df78e844f01d8 · gtworek/PSBits

  

  Simple (relatively) things allowing you to dig a bit deeper than usual. - gtworek/PSBits

  
  Read More

Related rules

• Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
• Change Default File Association To Executable Via Assoc
• File Creation In Suspicious Directory By Msdt.EXE
• File Download Via Bitsadmin To An Uncommon Target Folder
• PSEXEC Remote Execution File Artefact