← Library
sigmaDRL-1.1from SigmaHQ/sigma

Removal Of AMSI Provider Registry Keys

Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.

Quality
92
FP risk
Forks
0
Views
0
ATT&CK techniques
T1562.001
Rule sourcerules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml
title: Removal Of AMSI Provider Registry Keys
id: 41d1058a-aea7-4952-9293-29eaaf516465
status: test
description: Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
    - https://seclists.org/fulldisclosure/2020/Mar/45
author: frack113
date: 2021-06-07
modified: 2025-10-07
tags:
    - attack.defense-evasion
    - attack.t1562.001
logsource:
    product: windows
    category: registry_delete
detection:
    selection:
        TargetObject|endswith:
            - '{2781761E-28E0-4109-99FE-B9D127C57AFE}' # IOfficeAntiVirus
            - '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' # ProtectionManagement.dll
    filter_main_defender:
        Image|startswith:
            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
            - 'C:\Program Files\Windows Defender\'
            - 'C:\Program Files (x86)\Windows Defender\'
        Image|endswith: '\MsMpEng.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/info.yml
simulation:
    - type: atomic-red-team
      name: AMSI Bypass - Remove AMSI Provider Reg Key
      technique: T1562.001
      atomic_guid: 13f09b91-c953-438e-845b-b585e51cac9b