Removal Of AMSI Provider Registry Keys

Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.

Sigma rule (View on GitHub)

 1title: Removal Of AMSI Provider Registry Keys
 2id: 41d1058a-aea7-4952-9293-29eaaf516465
 3status: test
 4description: Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
 7    - https://seclists.org/fulldisclosure/2020/Mar/45
 8author: frack113
 9date: 2021/06/07
10modified: 2023/02/08
11tags:
12    - attack.defense_evasion
13    - attack.t1562.001
14logsource:
15    product: windows
16    category: registry_delete
17detection:
18    selection:
19        EventType: DeleteKey
20        TargetObject|endswith:
21            - '{2781761E-28E0-4109-99FE-B9D127C57AFE}' # IOfficeAntiVirus
22            - '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' # ProtectionManagement.dll
23    condition: selection
24falsepositives:
25    - Unlikely
26level: high

References

Related rules

to-top