sigmaDRL-1.1from SigmaHQ/sigma
Potential AMSI COM Server Hijacking
Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless
Quality
100
FP risk
—
Forks
0
Views
0
ATT&CK techniques
Rule sourcerules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml
title: Potential AMSI COM Server Hijacking
id: 160d2780-31f7-4922-8b3a-efce30e63e96
status: test
description: Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless
references:
- https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/
- https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-04
modified: 2023-08-17
tags:
- attack.defense-evasion
- attack.t1562.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\(Default)'
filter:
Details: '%windir%\system32\amsi.dll'
condition: selection and not filter
falsepositives:
- Unknown
level: high