Removal Of AMSI Provider Registry Keys
Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
Sigma rule (View on GitHub)
1title: Removal Of AMSI Provider Registry Keys
2id: 41d1058a-aea7-4952-9293-29eaaf516465
3status: test
4description: Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
7 - https://seclists.org/fulldisclosure/2020/Mar/45
8author: frack113
9date: 2021-06-07
10modified: 2023-02-08
11tags:
12 - attack.defense-evasion
13 - attack.t1562.001
14logsource:
15 product: windows
16 category: registry_delete
17detection:
18 selection:
19 EventType: DeleteKey
20 TargetObject|endswith:
21 - '{2781761E-28E0-4109-99FE-B9D127C57AFE}' # IOfficeAntiVirus
22 - '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' # ProtectionManagement.dll
23 condition: selection
24falsepositives:
25 - Unlikely
26level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Defense in depth -- the Microsoft way (part 64): Windows Defender loads and exeutes arbitrary DLLs From: "Stefan Kanthak" Date: Fri, 27 Mar 2020 05:27:56 +0100 Hi @ll, in September 2017, Microsoft ...
Read More
Related rules
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder
- AWS GuardDuty Important Change
- Add SafeBoot Keys Via Reg Utility