Detectionhighstable

Windows Defender AMSI Trigger Detected

Detects triggering of AMSI by Windows Defender.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Bhabesh RajCreated Mon Sep 14Updated Wed Dec 07ea9bf0fa-edec-4fb8-8b78-b119f2528186windows

Log Source

Windowswindefend

ProductWindows← raw: windows

Servicewindefend← raw: windefend

Detection Logic

detection:
    selection:
        EventID: 1116 # The antimalware platform detected malware or other potentially unwanted software.
        SourceName: 'AMSI'
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

Resolving title…

learn.microsoft.com

MITRE ATT&CK

Tactics

TA0002 · Execution

Techniques

T1059 · Command and Scripting Interpreter

Rule Metadata

Rule ID

ea9bf0fa-edec-4fb8-8b78-b119f2528186

Status

stable

Level

high

Type

Detection

Created

Mon Sep 14

Modified

Wed Dec 07

Author

Bhabesh Raj

Path

rules/windows/builtin/windefend/win_defender_malware_detected_amsi_source.yml

Raw Tags

attack.executionattack.t1059

View on GitHub