Removal Of AMSI Provider Registry Keys
Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
Sigma rule (View on GitHub)
1title: Removal Of AMSI Provider Registry Keys
2id: 41d1058a-aea7-4952-9293-29eaaf516465
3status: test
4description: Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
7 - https://seclists.org/fulldisclosure/2020/Mar/45
8author: frack113
9date: 2021-06-07
10modified: 2025-10-07
11tags:
12 - attack.defense-evasion
13 - attack.t1562.001
14logsource:
15 product: windows
16 category: registry_delete
17detection:
18 selection:
19 TargetObject|endswith:
20 - '{2781761E-28E0-4109-99FE-B9D127C57AFE}' # IOfficeAntiVirus
21 - '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' # ProtectionManagement.dll
22 filter_main_defender:
23 Image|startswith:
24 - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
25 - 'C:\Program Files\Windows Defender\'
26 - 'C:\Program Files (x86)\Windows Defender\'
27 Image|endswith: '\MsMpEng.exe'
28 condition: selection and not 1 of filter_main_*
29falsepositives:
30 - Unlikely
31level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Defense in depth -- the Microsoft way (part 64): Windows Defender loads and exeutes arbitrary DLLs From: "Stefan Kanthak" Date: Fri, 27 Mar 2020 05:27:56 +0100 Hi @ll, in September 2017, Microsoft ...
Read More
Related rules
- Potential Privileged System Service Operation - SeLoadDriverPrivilege
- Suspicious Uninstall of Windows Defender Feature via PowerShell
- Suspicious Windows Service Tampering
- Sysmon Configuration Update
- Uninstall Sysinternals Sysmon