AMSI Disabled via Registry Modification
Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value. Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content. Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.
Sigma rule (View on GitHub)
1title: AMSI Disabled via Registry Modification
2id: aa37cbb0-da36-42cb-a90f-fdf216fc7467
3related:
4 - id: 7dbbcac2-57a0-45ac-b306-ff30a8bd2981 # Windows AMSI Related Registry Tampering Via CommandLine
5 type: similar
6status: experimental
7description: |
8 Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value.
9 Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content.
10 Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.
11references:
12 - https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d
13 - https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal
14 - https://www.mdsec.co.uk/2019/02/macros-and-more-with-sharpshooter-v2-0/
15author: Swachchhanda Shrawan Poudel (Nextron Systems)
16date: 2025-12-25
17tags:
18 - attack.defense-impairment
19 - attack.t1685
20logsource:
21 category: registry_set
22 product: windows
23detection:
24 selection:
25 TargetObject|endswith: '\Software\Microsoft\Windows Script\Settings\AmsiEnable'
26 Details: 'DWORD (0x00000000)'
27 condition: selection
28falsepositives:
29 - Unlikely
30level: high
31regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_amsi_disable/info.yml
32simulation:
33 - type: atomic-red-team
34 name: AMSI Bypass - Create AMSIEnable Reg Key
35 technique: T1562.001
36 atomic_guid: 728eca7b-0444-4f6f-ac36-437e3d751dc0
References
Related rules
- AMSI Bypass Pattern Assembly GetType
- ASLR Disabled Via Sysctl or Direct Syscall - Linux
- AWS GuardDuty Detector Deleted Or Updated
- AWS GuardDuty Important Change
- AWS SecurityHub Findings Evasion