AMSI Disabled via Registry Modification
Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value. Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content. Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.
Sigma rule (View on GitHub)
1title: AMSI Disabled via Registry Modification
2id: aa37cbb0-da36-42cb-a90f-fdf216fc7467
3related:
4 - id: 7dbbcac2-57a0-45ac-b306-ff30a8bd2981 # Windows AMSI Related Registry Tampering Via CommandLine
5 type: similar
6status: experimental
7description: |
8 Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value.
9 Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content.
10 Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.
11references:
12 - https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d
13 - https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal
14 - https://www.mdsec.co.uk/2019/02/macros-and-more-with-sharpshooter-v2-0/
15author: Swachchhanda Shrawan Poudel (Nextron Systems)
16date: 2025-12-25
17tags:
18 - attack.defense-evasion
19 - attack.t1562.001
20 - attack.t1562.006
21logsource:
22 category: registry_set
23 product: windows
24detection:
25 selection:
26 TargetObject|endswith: '\Software\Microsoft\Windows Script\Settings\AmsiEnable'
27 Details: 'DWORD (0x00000000)'
28 condition: selection
29falsepositives:
30 - Unlikely
31level: high
32regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_amsi_disable/info.yml
33simulation:
34 - type: atomic-red-team
35 name: AMSI Bypass - Create AMSIEnable Reg Key
36 technique: T1562.001
37 atomic_guid: 728eca7b-0444-4f6f-ac36-437e3d751dc0
References
-
The Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product that's present on a machine.
Read More -
In March 2018 we released SharpShooter, a framework for red team payload generation. We followed up with further updates and new techniques in June. Like many offensive tools, the framework...
Read More
Related rules
- Windows AMSI Related Registry Tampering Via CommandLine
- Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
- Vulnerable Driver Blocklist Registry Tampering Via CommandLine
- Windows Hypervisor Enforced Code Integrity Disabled
- Windows Vulnerable Driver Blocklist Disabled