Potential AMSI COM Server Hijacking
Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless
Sigma rule (View on GitHub)
1title: Potential AMSI COM Server Hijacking
2id: 160d2780-31f7-4922-8b3a-efce30e63e96
3status: experimental
4description: Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless
5references:
6 - https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/
7 - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023/01/04
10modified: 2023/08/17
11tags:
12 - attack.defense_evasion
13 - attack.t1562.001
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection:
19 TargetObject|endswith: '\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\(Default)'
20 filter:
21 Details: '%windir%\system32\amsi.dll'
22 condition: selection and not filter
23falsepositives:
24 - Unknown
25level: high
References
Related rules
- Disable Exploit Guard Network Protection on Windows Defender
- Disable PUA Protection on Windows Defender
- Disable Privacy Settings Experience in Registry
- Disable Tamper Protection on Windows Defender
- Disable Windows Defender Functionalities Via Registry Keys