Detectionhighexperimental
AMSI Disabled via Registry Modification
Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value. Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content. Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Swachchhanda Shrawan Poudel (Nextron Systems)Created Thu Dec 25aa37cbb0-da36-42cb-a90f-fdf216fc7467windows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic1 selector
detection:
selection:
TargetObject|endswith: '\Software\Microsoft\Windows Script\Settings\AmsiEnable'
Details: 'DWORD (0x00000000)'
condition: selectionFalse Positives
Unlikely
False positives are unlikely for most environments. High confidence detection.
References
Testing & Validation
Simulations
atomic-red-teamT1562.001
View on ARTAMSI Bypass - Create AMSIEnable Reg Key
GUID: 728eca7b-0444-4f6f-ac36-437e3d751dc0
MITRE ATT&CK
Rule Metadata
Rule ID
aa37cbb0-da36-42cb-a90f-fdf216fc7467
Status
experimental
Level
high
Type
Detection
Created
Thu Dec 25
Path
rules/windows/registry/registry_set/registry_set_amsi_disable.yml
Raw Tags
attack.defense-evasionattack.t1562.001attack.t1562.006