Detection rules › Sigma
Potential Persistence Via New AMSI Providers - Registry
Detects when an attacker adds a new AMSI provider via the Windows Registry to bypass AMSI (Antimalware Scan Interface) protections. Attackers may add custom AMSI providers to persist on the system and evade detection by security software that relies on AMSI for scanning scripts and other content. This technique is often used in conjunction with fileless malware and script-based attacks to maintain persistence while avoiding detection.
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 13 | RegistryEvent (Value Set) |
Stages and Predicates
Stage 1: selection
or:
TargetObject|contains: '\SOFTWARE\Microsoft\AMSI\Providers\'
TargetObject|contains: '\SOFTWARE\WOW6432Node\Microsoft\AMSI\Providers\'
Stage 2: not 1 of filter_optional_*
or:
Image: ['C:\Program Files\AVG\Antivirus\RegSvr.exe', 'C:\Program Files\AVG\Antivirus\x86\RegSvr.exe']
TargetObject|contains: '\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}'
Image: ['C:\Program Files\Avast Software\Avast\RegSvr.exe', 'C:\Program Files\Avast Software\Avast\x86\RegSvr.exe']
TargetObject|contains: '\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}'
Image: 'C:\Program Files\Avira\Endpoint Protection SDK\endpointprotection.exe'
TargetObject|contains: '\{00000001-3DCC-4B48-A82E-E2071FE58E05}'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Image | eq |
|
TargetObject | match |
|