Detectionhighexperimental

Windows AMSI Related Registry Tampering Via CommandLine

Detects tampering of AMSI (Anti-Malware Scan Interface) related registry values via command line tools such as reg.exe or PowerShell. AMSI provides a generic interface for applications and services to integrate with antimalware products. Adversaries may disable AMSI to evade detection of malicious scripts and code execution.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel (Nextron Systems)Created Thu Dec 257dbbcac2-57a0-45ac-b306-ff30a8bd2981windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_key:
        CommandLine|contains|all:
            - '\Software\Microsoft\Windows Script\Settings'
            - 'AmsiEnable'
    selection_reg_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_reg_cmd:
        CommandLine|contains: 'add'
    selection_powershell_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_powershell_cmd:
        CommandLine|contains:
            - 'Set-ItemProperty'
            - 'New-ItemProperty'
            - 'sp '
    condition: selection_key and (all of selection_powershell_* or all of selection_reg_*)

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

github.com

Resolving title…

mostafayahiax.medium.com

Resolving title…

mdsec.co.uk

Testing & Validation

Simulations

atomic-red-teamT1562.001

View on ART

AMSI Bypass - Create AMSIEnable Reg Key

GUID: 728eca7b-0444-4f6f-ac36-437e3d751dc0

Regression Tests

by Swachchhanda Shrawan Poudel (Nextron Systems)

Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1562.001 · Disable or Modify Tools T1562.006 · Indicator Blocking

Related Rules

SimilarDetectionhigh

AMSI Disabled via Registry Modification

Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value. Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content. Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

7dbbcac2-57a0-45ac-b306-ff30a8bd2981

Status

experimental

Level

high

Type

Detection

Created

Thu Dec 25

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_amsi_registry_tampering.yml

Raw Tags

attack.defense-evasionattack.t1562.001attack.t1562.006

View on GitHub