Potential AMSI COM Server Hijacking

Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless

Sigma rule (View on GitHub)

 1title: Potential AMSI COM Server Hijacking
 2id: 160d2780-31f7-4922-8b3a-efce30e63e96
 3status: test
 4description: Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless
 5references:
 6    - https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/
 7    - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023/01/04
10modified: 2023/08/17
11tags:
12    - attack.defense_evasion
13    - attack.t1562.001
14logsource:
15    category: registry_set
16    product: windows
17detection:
18    selection:
19        TargetObject|endswith: '\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\(Default)'
20    filter:
21        Details: '%windir%\system32\amsi.dll'
22    condition: selection and not filter
23falsepositives:
24    - Unknown
25level: high

References

Related rules

to-top