Removal Of AMSI Provider Registry Keys
Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
Sigma rule (View on GitHub)
1title: Removal Of AMSI Provider Registry Keys
2id: 41d1058a-aea7-4952-9293-29eaaf516465
3status: test
4description: Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
7 - https://seclists.org/fulldisclosure/2020/Mar/45
8author: frack113
9date: 2021-06-07
10modified: 2025-10-07
11tags:
12 - attack.defense-impairment
13 - attack.t1685
14logsource:
15 product: windows
16 category: registry_delete
17detection:
18 selection:
19 TargetObject|endswith:
20 - '{2781761E-28E0-4109-99FE-B9D127C57AFE}' # IOfficeAntiVirus
21 - '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' # ProtectionManagement.dll
22 filter_main_defender:
23 Image|startswith:
24 - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
25 - 'C:\Program Files\Windows Defender\'
26 - 'C:\Program Files (x86)\Windows Defender\'
27 Image|endswith: '\MsMpEng.exe'
28 condition: selection and not 1 of filter_main_*
29falsepositives:
30 - Unlikely
31level: high
32regression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/info.yml
33simulation:
34 - type: atomic-red-team
35 name: AMSI Bypass - Remove AMSI Provider Reg Key
36 technique: T1562.001
37 atomic_guid: 13f09b91-c953-438e-845b-b585e51cac9b
References
Related rules
- AMSI Bypass Pattern Assembly GetType
- AMSI Disabled via Registry Modification
- ASLR Disabled Via Sysctl or Direct Syscall - Linux
- AWS GuardDuty Detector Deleted Or Updated
- AWS GuardDuty Important Change