Potential Persistence Via New AMSI Providers - Registry

Nov 26, 2025 · attack.persistence ·

Detects when an attacker adds a new AMSI provider via the Windows Registry to bypass AMSI (Antimalware Scan Interface) protections. Attackers may add custom AMSI providers to persist on the system and evade detection by security software that relies on AMSI for scanning scripts and other content. This technique is often used in conjunction with fileless malware and script-based attacks to maintain persistence while avoiding detection.

Sigma rule (View on GitHub)

 1title: Potential Persistence Via New AMSI Providers - Registry
 2id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f705
 3status: test
 4description: |
 5    Detects when an attacker adds a new AMSI provider via the Windows Registry to bypass AMSI (Antimalware Scan Interface) protections.
 6    Attackers may add custom AMSI providers to persist on the system and evade detection by security software that relies on AMSI for scanning scripts and other content.
 7    This technique is often used in conjunction with fileless malware and script-based attacks to maintain persistence while avoiding detection.    
 8references:
 9    - https://persistence-info.github.io/Data/amsi.html
10    - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022-07-21
13modified: 2025-10-26
14tags:
15    - attack.persistence
16logsource:
17    category: registry_set
18    product: windows
19detection:
20    selection:
21        TargetObject|contains:
22            - '\SOFTWARE\Microsoft\AMSI\Providers\'
23            - '\SOFTWARE\WOW6432Node\Microsoft\AMSI\Providers\'
24    filter_optional_avast:
25        Image:
26            - 'C:\Program Files\Avast Software\Avast\RegSvr.exe'
27            - 'C:\Program Files\Avast Software\Avast\x86\RegSvr.exe'
28        TargetObject|contains: '\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}'
29    filter_optional_avg:
30        Image:
31            - 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
32            - 'C:\Program Files\AVG\Antivirus\x86\RegSvr.exe'
33        TargetObject|contains: '\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}'
34    filter_optional_avira:
35        Image: 'C:\Program Files\Avira\Endpoint Protection SDK\endpointprotection.exe'
36        TargetObject|contains: '\{00000001-3DCC-4B48-A82E-E2071FE58E05}'
37    condition: selection and not 1 of filter_optional_*
38falsepositives:
39    - Legitimate security products adding their own AMSI providers. Filter these according to your environment.
40level: medium
41regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_persistence_amsi_providers/info.yml

References

AMSI Providers

AMSI Providers Location: HKLM\SOFTWARE\Microsoft\AMSI\Providers HKLM\SOFTWARE\Classes\CLSID Classification: Criteria Value Permissions Admin Security context User; System Persistence type Registry ...

Read More
PSBits/FakeAMSI/FakeAMSI.c at 8d767892f3b17eefa4d0668f5d2df78e844f01d8 · gtworek/PSBits

Simple (relatively) things allowing you to dig a bit deeper than usual. - gtworek/PSBits

Read More

Potential Persistence Via New AMSI Providers - Registry

Sigma rule (View on GitHub)

References

AMSI Providers

PSBits/FakeAMSI/FakeAMSI.c at 8d767892f3b17eefa4d0668f5d2df78e844f01d8 · gtworek/PSBits

Related rules