Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
Credit(s): frack113
Example:
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
Related
Ransomware, Persistence
Reference:
https://github.com/SigmaHQ/sigma/blob/8d28609c041867e1cea7821900e43c0106e6c766/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
https://seclists.org/fulldisclosure/2020/Mar/45
{{mitre("T1562.001")}}
Data Source(s): Windows Registry
let exclusion_defender= dynamic([@'c:\programdata\microsoft\windows defender',@'c:\program files\windows defender']); //Exclude activities from Microsoft Defender itself
DeviceRegistryEvents
| where ActionType == "RegistryKeyDeleted"
| where not(InitiatingProcessFolderPath has_any(exclusion_defender) and InitiatingProcessFileName == "msmpeng.exe") and (PreviousRegistryKey endswith '{2781761E-28E0-4109-99FE-B9D127C57AFE}' or PreviousRegistryKey endswith '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}')
- Inspect if the activity is expected and approved. It may be performed by an admin or a service
- Unlikely
Version 1.0 (date: 31/10/2023)