Potential Persistence Via New AMSI Providers - Registry

Detects when an attacker registers a new AMSI provider in order to achieve persistence

Sigma rule (View on GitHub)

 1title: Potential Persistence Via New AMSI Providers - Registry
 2id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f705
 3status: test
 4description: Detects when an attacker registers a new AMSI provider in order to achieve persistence
 5references:
 6    - https://persistence-info.github.io/Data/amsi.html
 7    - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022-07-21
10modified: 2023-02-07
11tags:
12    - attack.persistence
13logsource:
14    category: registry_add
15    product: windows
16detection:
17    selection:
18        EventType: CreateKey
19        TargetObject|contains:
20            - '\SOFTWARE\Microsoft\AMSI\Providers\'
21            - '\SOFTWARE\WOW6432Node\Microsoft\AMSI\Providers\'
22    filter:
23        Image|startswith:
24            - 'C:\Windows\System32\'
25            - 'C:\Program Files\'
26            - 'C:\Program Files (x86)\'
27    condition: selection and not filter
28falsepositives:
29    - Legitimate security products adding their own AMSI providers. Filter these according to your environment
30level: high

References

Related rules

to-top