Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Removal Of AMSI Provider Registry Keys

Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Mon Jun 07Updated Tue Oct 0741d1058a-aea7-4952-9293-29eaaf516465windows
Log Source
WindowsRegistry Delete
ProductWindows← raw: windows
CategoryRegistry Delete← raw: registry_delete
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        TargetObject|endswith:
            - '{2781761E-28E0-4109-99FE-B9D127C57AFE}' # IOfficeAntiVirus
            - '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' # ProtectionManagement.dll
    filter_main_defender:
        Image|startswith:
            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
            - 'C:\Program Files\Windows Defender\'
            - 'C:\Program Files (x86)\Windows Defender\'
        Image|endswith: '\MsMpEng.exe'
    condition: selection and not 1 of filter_main_*
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
github.com
2
Resolving title…
seclists.org
Testing & Validation

Simulations

atomic-red-teamT1562.001
View on ART

AMSI Bypass - Remove AMSI Provider Reg Key

GUID: 13f09b91-c953-438e-845b-b585e51cac9b

Regression Tests

by SigmaHQ Team
Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON
MITRE ATT&CK
Rule Metadata
Rule ID
41d1058a-aea7-4952-9293-29eaaf516465
Status
test
Level
high
Type
Detection
Created
Mon Jun 07
Modified
Tue Oct 07
Author
François Hubaut
Path
rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml
Raw Tags
attack.defense-evasionattack.t1562.001
View on GitHub