Removal Of AMSI Provider Registry Keys

calendar Nov 26, 2025 · attack.defense-evasion attack.t1562.001  ·
Share on: linkedin copy

Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.

Sigma rule (View on GitHub)

 1title: Removal Of AMSI Provider Registry Keys
 2id: 41d1058a-aea7-4952-9293-29eaaf516465
 3status: test
 4description: Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
 7    - https://seclists.org/fulldisclosure/2020/Mar/45
 8author: frack113
 9date: 2021-06-07
10modified: 2025-10-07
11tags:
12    - attack.defense-evasion
13    - attack.t1562.001
14logsource:
15    product: windows
16    category: registry_delete
17detection:
18    selection:
19        TargetObject|endswith:
20            - '{2781761E-28E0-4109-99FE-B9D127C57AFE}' # IOfficeAntiVirus
21            - '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' # ProtectionManagement.dll
22    filter_main_defender:
23        Image|startswith:
24            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
25            - 'C:\Program Files\Windows Defender\'
26            - 'C:\Program Files (x86)\Windows Defender\'
27        Image|endswith: '\MsMpEng.exe'
28    condition: selection and not 1 of filter_main_*
29falsepositives:
30    - Unlikely
31level: high
32regression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/info.yml
33simulation:
34    - type: atomic-red-team
35      name: AMSI Bypass - Remove AMSI Provider Reg Key
36      technique: T1562.001
37      atomic_guid: 13f09b91-c953-438e-845b-b585e51cac9b

References

Related rules

to-top