Potential Persistence Via New AMSI Providers - Registry
Detects when an attacker registers a new AMSI provider in order to achieve persistence
Sigma rule (View on GitHub)
1title: Potential Persistence Via New AMSI Providers - Registry
2id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f705
3status: test
4description: Detects when an attacker registers a new AMSI provider in order to achieve persistence
5references:
6 - https://persistence-info.github.io/Data/amsi.html
7 - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022/07/21
10modified: 2023/02/07
11tags:
12 - attack.persistence
13logsource:
14 category: registry_add
15 product: windows
16detection:
17 selection:
18 EventType: CreateKey
19 TargetObject|contains:
20 - '\SOFTWARE\Microsoft\AMSI\Providers\'
21 - '\SOFTWARE\WOW6432Node\Microsoft\AMSI\Providers\'
22 filter:
23 Image|startswith:
24 - 'C:\Windows\System32\'
25 - 'C:\Program Files\'
26 - 'C:\Program Files (x86)\'
27 condition: selection and not filter
28falsepositives:
29 - Legitimate security products adding their own AMSI providers. Filter these according to your environment
30level: high
References
Related rules
- Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
- Change Default File Association To Executable Via Assoc
- File Creation In Suspicious Directory By Msdt.EXE
- File Download Via Bitsadmin To An Uncommon Target Folder
- PSEXEC Remote Execution File Artefact