Threat Huntlowtest
Amsi.DLL Load By Uncommon Process
Detects loading of Amsi.dll by uncommon processes
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Hunting Hypothesis
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic7 selectors
detection:
selection:
ImageLoaded|endswith: '\amsi.dll'
filter_main_exact:
Image|endswith:
- ':\Windows\explorer.exe'
- ':\Windows\Sysmon64.exe'
filter_main_generic:
Image|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
- ':\Windows\WinSxS\'
filter_optional_defender:
Image|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
Image|endswith: '\MsMpEng.exe'
filter_main_dotnet:
Image|contains:
- ':\Windows\Microsoft.NET\Framework\'
- ':\Windows\Microsoft.NET\Framework64\'
- ':\Windows\Microsoft.NET\FrameworkArm\'
- ':\Windows\Microsoft.NET\FrameworkArm64\'
Image|endswith: '\ngentask.exe'
filter_main_null:
Image: null
filter_main_empty:
Image: ''
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Legitimate third party apps installed in "ProgramData" and "AppData" might generate some false positives. Apply additional filters accordingly
MITRE ATT&CK
Techniques
Other
detection.threat-hunting
Rule Metadata
Rule ID
facd1549-e416-48e0-b8c4-41d7215eedc8
Status
test
Level
low
Type
Threat Hunt
Created
Sun Mar 12
Modified
Mon Feb 24
Author
Path
rules-threat-hunting/windows/image_load/image_load_dll_amsi_uncommon_process.yml
Raw Tags
attack.defense-evasionattack.impactattack.t1490detection.threat-hunting